Zenable CLI Reference - Zenable Governance Platform

The native zenable CLI is the primary CLI and replaces the older zenable-mcp package. For legacy reference, see the zenable-mcp CLI Reference.

Quick Installation

curl -fsSL https://cli.zenable.app/install.sh | bash

For more installation options, see the Getting Started guide.

Overview

Zenable CLI - conformance checking, IDE management, and hook handling for agentic IDEs. The zenable CLI is the native Go binary that replaces the older Python-based zenable-mcp package.

Global Options

These options are available for all commands:

Option	Description
`-v`, `--verbose`	Enable verbose output (repeatable: `-v`, `-vv`)
`-h`, `--help`	Show help message

Commands

`install`

Install the Zenable integrations.

zenable install [OPTIONS] [COMMAND] [ARGS]...

Note: You can use unified commands like install cursor or install claude-code, or use subcommands like install mcp cursor and install hook claude-code. The unified commands are simpler and install all features.

Options

Option	Description
`-d`, `--dry-run`	Preview what would be done without actually performing the installation
`-p`, `--project`	Install in the project directory instead of globally
`--include TEXT`	Include only directories matching these glob patterns (e.g., `'*/microservice-'`)
`--exclude TEXT`	Exclude directories matching these glob patterns
`--all`	Install for all supported IDEs, even if not currently installed
`-h`, `--help`	Show help message

By default, zenable install installs globally so the integration is available across all your projects.

Want project-level installation? Run zenable install --project from inside a git repository to install only for that project. When using --project outside a git repository, the installer will present an interactive TUI to select which repositories to install into.

Subcommands

`install mcp`

Install Zenable MCP server configuration. Uses OAuth for secure authentication.

zenable install mcp [OPTIONS] COMMAND [ARGS]...

Additional options:

Option	Description
`--overwrite`	Overwrite existing Zenable configuration if it exists
`--no-instructions`	Don’t show post-installation instructions

Supported IDE commands:

all - Install MCP for all detected IDEs (default)
amp - Install MCP for Amp
antigravity - Install MCP for Antigravity
auggie (alias: augment) - Install MCP for Auggie
claude-code (alias: claude) - Install MCP for Claude Code
codex - Install MCP for Codex
continue - Install MCP for the Continue IDE*
copilot-cli - Install MCP for GitHub Copilot CLI
cursor - Install MCP for Cursor IDE and cursor-agent CLI
gemini - Install MCP for Gemini CLI
kiro - Install MCP for Kiro
roo - Install MCP for Roo Code
vscode - Install MCP for Visual Studio Code
windsurf - Install MCP for Windsurf IDE

`install hook`

Install hooks for various tools.

zenable install hook [OPTIONS] COMMAND [ARGS]...

Supported hook commands:

all - Install hooks for all supported tools
claude-code (alias: claude) - Install Claude Code hooks
cursor - Install Cursor hooks

Options

Option	Description
`--dry-run`	Preview what would be done without actually performing the installation
`--include TEXT`	Include only directories matching these glob patterns (e.g., `'*/microservice-'`)
`--exclude TEXT`	Exclude directories matching these glob patterns
`-h`, `--help`	Show help message

Examples

# Install globally for all detected IDEs (recommended)
zenable install

# Install for a specific IDE using unified command (recommended)
zenable install cursor
zenable install claude-code

# Install in the current project only
zenable install --project

# Preview what would be done without installing
zenable install --dry-run

# Advanced: Install only MCP (without hooks) for all detected IDEs
zenable install mcp

# Advanced: Install only MCP for a specific IDE
zenable install mcp cursor

# Advanced: Install only hooks
zenable install hook
zenable install hook claude-code
zenable install hook cursor

`uninstall`

Remove Zenable integrations from your system.

zenable uninstall [OPTIONS]

Launches an interactive TUI to select which integrations to remove.

Options

Option	Description
`-d`, `--dry-run`	Preview what would be done without actually performing the uninstall
`-p`, `--project`	Uninstall from the project directory instead of globally
`--all`	Uninstall from all IDEs without interactive selection
`-h`, `--help`	Show help message

`check`

Check the provided files against your conformance tests.

zenable check [OPTIONS] [PATTERNS]...

Automatically detects files from IDE context when no patterns are provided. Supports glob patterns like **/*.py to check all Python files recursively. Accepts piped input via stdin from git status --short or plain file lists. Files are processed in batches of 5 for optimal performance.

Arguments

PATTERNS: Glob patterns for files to check (e.g., '**/*.py', 'src/**/*.js')
- If no patterns are provided, auto-detects the last edited file, subject to filtering. Use --verbose for filtering details

Stdin

When input is piped to zenable check, it reads file paths from stdin. This supports:

git status --short output — status prefixes are automatically stripped, deleted files are skipped, and renames use the new path
Plain file lists — one file path per line

Options

Option	Description
`--exclude TEXT`	Patterns to exclude from checking
`--base-path DIRECTORY`	Base directory for pattern matching (defaults to current directory)
`--branch`	Check all files changed on the current branch compared to the base branch
`--base-branch TEXT`	Base branch to compare against when using `--branch` (default: `$ZENABLE_CHECK_BASE_BRANCH` or `main`)
`--dry-run`	Show which files would be sent without actually checking them
`--format TEXT`	Output format(s): `text`, `json`, `sarif`, or `html`. Supports multiple formats and file paths (e.g. `text,sarif=results.sarif`). Default: `text`
`--skip-ai-review`	Skip AI review (overrides config and env var)
`--skip-semgrep`	Skip semgrep guardrails (overrides config and env var)
`-h`, `--help`	Show help message

Configuration

The check command supports configuration via environment variables:

Environment Variable	Description	Default
`ZENABLE_CHECK_BASE_BRANCH`	Default base branch to compare against when using `--branch`	`main`

Example

# Set default base branch to develop
export ZENABLE_CHECK_BASE_BRANCH=develop

# Now --branch uses develop instead of main
zenable check --branch

# CLI option still overrides env var
zenable check --branch --base-branch feature/base

Examples

# Check a single file
zenable check example.py

# Check all Python files recursively
zenable check '**/*.py'

# Check multiple patterns
zenable check 'src/**/*.js' 'tests/**/*.js'

# Pipe git status to check modified/untracked files
git status --short | zenable check

# Pipe a file list from any command
find src -name '*.py' | zenable check

# Exclude test files from checking
zenable check '**/*.py' --exclude '**/test_*.py'

# Specify base directory for pattern matching
zenable check '*.py' --base-path ./src

# Check all files changed on current branch compared to main
zenable check --branch

# Check all files changed on current branch compared to develop
zenable check --branch --base-branch develop

# Check only Python src files changed on current branch
zenable check --branch '**/*.py' --exclude '**/test_*.py'

# Dry run to see which files would be checked
zenable check '**/*.py' --dry-run

# Output results in SARIF format to a file (e.g. for CI integration)
zenable check '**/*.py' --format sarif=results.sarif

# Output results in JSON format to a file
zenable check '**/*.py' --format json=results.json

# Output text to terminal and write SARIF + JSON to files
zenable check '**/*.py' --format text,sarif=results.sarif,json=results.json

# Output HTML report to a file
zenable check '**/*.py' --format html=report.html

# Output multiple formats to stdout
zenable check '**/*.py' --format sarif,json

# Skip AI review and only run semgrep guardrails
zenable check '**/*.py' --skip-ai-review

`hook`

Handle calls from the hooks of Agentic IDEs.

zenable hook [OPTIONS]

This command is specifically designed for IDE integrations like Claude Code and Cursor. It reads hook input from stdin, processes the files, and returns appropriate exit codes and formatted responses for the IDE to handle. To manually run a scan, use the check command instead.

Options

Option	Description
`-h`, `--help`	Show help message

Reverted files are not reviewed. When an agent modifies a file and then reverts it back to match the base branch (e.g., via git checkout), the hook will report “No files to process” because there is no net change compared to the base branch. This is expected behavior — Zenable reviews the diff, not individual edits, so if the final state matches what’s already on the base branch, there’s nothing new to review.

Authenticate with Zenable via OAuth.

zenable login

Opens a browser to complete the OAuth authentication flow. Credentials are cached locally for future commands. If already authenticated, skips re-authentication.

`logout`

Clear local OAuth credentials.

zenable logout [OPTIONS]

Options

Option	Description
`--all`	Also open Auth0 logout in browser to end remote session

`sync`

Sync guardrails from Zenable to local disk.

zenable sync

Downloads and caches semgrep guardrails locally for faster conformance checks. Uses ETag-based caching to avoid re-downloading unchanged guardrails. Requires authentication.

`logs`

View zenable logs.

zenable logs [OPTIONS]

Options

Option	Description
`-f`, `--follow`	Follow log output (like `tail -f`)
`-r`, `--raw`	Show raw log entries instead of just messages
`-n`, `--lines INTEGER`	Number of lines to show (from end of file, default: 50)
`--clear`	Clear the log file (cannot be used with other options)
`-h`, `--help`	Show help message

Examples

# View recent logs
zenable logs

# Follow logs in real-time
zenable logs --follow

# Show last 50 lines
zenable logs -n 50

# Clear logs
zenable logs --clear

`doctor`

Diagnose and troubleshoot installation and client issues.

zenable doctor

Displays diagnostic information including OS details, terminal environment, Zenable environment variables (sensitive values redacted), dependency status, authentication state, and recent log entries.

`version`

Show the zenable version.

zenable version

Will also notify you if an update is available.

Configuration Files

MCP Server Configuration

The tool creates MCP server configuration in IDE-specific locations, appropriate for that individual IDE. For instance:

{
  "mcpServers": {
    "zenable": {
      "type": "http",
      "url": "https://mcp.zenable.app/"
    }
  }
}

Hook Configuration (Claude Code)

Hooks are configured in Claude Code settings (.claude/settings.json):

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "zenable hook"
          }
        ]
      }
    ]
  }
}

Hook Configuration (Cursor)

Hooks are configured in Cursor hooks file (.cursor/hooks.json):

{
  "version": 1,
  "hooks": {
    "afterFileEdit": [
      {
        "command": "zenable hook"
      }
    ]
  }
}

Exit Codes

Code	Meaning
0	Success
2	Conformance issues found
3	Handler conflict
4	No hook input
12	No files specified
13	No files found
14	File read error
15	Invalid parameters
16	File write error
20	API error
21	Authentication error
51	Installation error
52	Partial success
130	User interrupt

File Patterns

Glob Pattern Examples

# All Python files recursively
'**/*.py'

# Multiple extensions
'**/*.{js,ts,jsx,tsx}'

# Specific directory
'src/**/*.py'

# All files in current directory
'*'

# All files recursively
'**/*'

# Specific depth
'*/*.py'  # One level deep
'*/*/*.py'  # Two levels deep

Common Exclusions

# Python
--exclude '**/{__pycache__,venv,.venv,migrations}/**'

# JavaScript/Node
--exclude '**/{node_modules,dist,build,.next}/**'

# General
--exclude '.git/**'
--exclude '**/*.min.js'
--exclude '**/*.map'
--exclude '**/vendor/**'

Troubleshooting

Debug Mode

Enable debug output for troubleshooting:

# Maximum verbosity
zenable -vv install

# Run a check with verbose output
zenable -v check '**/*.py'

# View debug logs
zenable logs --lines 100

# Run diagnostics
zenable doctor

Dry Run Mode

Preview changes without applying:

# Preview installation
zenable install --dry-run

# Preview with specific IDE
zenable install mcp cursor --dry-run

*Continue users may experience issues until Continue adds support for streamable HTTP.

Overview

Integrations

Guardrails Engines

IDE Installation Guides

Deprecated IDEs

Tools & Reference

Use Cases

​Quick Installation

​Overview

​Global Options

​Commands

​install

​Options

​Subcommands

install mcp

install hook

Options

​Examples

​uninstall

​Options

​check

​Arguments

​Stdin

​Options

​Configuration

Example

​Examples

​hook

​Options

​login

​logout

​Options

​sync

​logs

​Options

​Examples

​doctor

​version

​Configuration Files

​MCP Server Configuration

​Hook Configuration (Claude Code)

​Hook Configuration (Cursor)

​Exit Codes

​File Patterns

​Glob Pattern Examples

​Common Exclusions

​Troubleshooting

​Debug Mode

​Dry Run Mode

​See Also

Quick Installation

Overview

Global Options

Commands

`install`

Options

Subcommands

`install mcp`

`install hook`

Examples

`uninstall`

Options

`check`

Arguments

Stdin

Options

Configuration

Examples

`hook`

Options

`login`

`logout`

Options

`sync`

`logs`

Options

Examples

`doctor`

`version`

Configuration Files

MCP Server Configuration

Hook Configuration (Claude Code)

Hook Configuration (Cursor)

Exit Codes

File Patterns

Glob Pattern Examples

Common Exclusions

Troubleshooting

Debug Mode

Dry Run Mode

See Also