Skip to main content

Igris CLI

The Igris CLI is your terminal interface for MCP governance. It scans configs for security issues, sets up the Igris proxy with one command, monitors sessions, and manages policies — all from the terminal.

Installation

bun add -g @igris/cli
Or run directly without installing: 
bunx igris scan --auto

Commands

igris (Interactive Menu)

Run igris with no subcommand to open the interactive menu: 
igris
The menu offers four options:
  1. Setup proxy for MCP servers — discover, scan, and proxy your MCP configs
  2. Scan configs for security issues — run the scanner across all configs
  3. View sessions & status — see active sessions and recent events
  4. Manage policies — view governance policies

login / logout / whoami

Authenticate with your Igris API key: 
# Interactive login — prompts for API key and URL
igris login

# Check current identity
igris whoami

# Remove stored credentials
igris logout
Credentials are stored in ~/.igris/credentials.json.

init

Interactive proxy setup wizard. Discovers MCP configs, scans them, registers servers, and rewrites configs to route through the Igris proxy. 
# Interactive mode — prompts for selection
igris init

# Non-interactive — proxy all discovered network servers
igris init --yes
The wizard:
  1. Checks authentication (prompts for API key if needed)
  2. Discovers MCP configs across 42+ locations
  3. Runs a security scan on selected configs
  4. Identifies which servers can be proxied (skips stdio servers)
  5. Detects already-proxied servers (no double-proxying)
  6. Registers servers with the Igris API
  7. Backs up original configs to ~/.igris/backups/
  8. Rewrites configs with proxy URLs

status

Show active sessions and recent audit events: 
igris status

policy list / policy get

View governance policies from the CLI: 
# List all policies
igris policy list

# Show details for a specific policy
igris policy get <policy-id>

proxy uninstall

Restore original MCP configs from a backup: 
igris proxy uninstall
Lists available backups (newest first), lets you select one, and restores the original config files. Optionally removes registered servers from the Igris API.

scan

Scan one or more MCP configuration files. 
# Scan a specific file
igris scan ~/.claude/claude_desktop_config.json

# Auto-discover and scan all known config locations
igris scan --auto

# JSON output for CI/CD
igris scan --format json --json-pretty

# Only show high and above
igris scan --severity high

# Fail CI if critical findings exist
igris scan --fail-on critical

# Disable specific rules
igris scan --disable AG-CRD-002,AG-VER-004

# Use a config file
igris scan --config .igrisrc
Options:
FlagDefaultDescription
[path]autoPath to MCP config file
--formattableOutput format: table, json, sarif
--severitylowMinimum severity to show
--fail-onhighExit code 1 if findings at this level or above
--verbosefalseShow full details and remediation text
--no-colorfalseDisable ANSI colored output
--autofalseAuto-discover all known config locations
--json-prettyfalsePretty-print JSON output
--configautoPath to .igrisrc config file
--disableComma-separated rule IDs to skip
--no-bannerfalseSuppress upgrade nudge banner

rules list

List all available detection rules. 
# All rules
igris rules list

# Filter by severity
igris rules list --severity high

# Filter by detector
igris rules list --detector credential-scanner

rules info

Show details for a specific rule. 
igris rules info AG-CRD-001
Output includes the rule title, severity, description, detector, and references (CWE/OWASP links).

Auto-Discovery

When you run igris scan --auto, the CLI checks 42 known config locations across all major MCP clients:
ClientConfig Locations
Claude Desktop~/.claude/claude_desktop_config.json
Claude Code~/.claude.json, ~/.claude/settings.json, .mcp.json
Cursor~/.cursor/mcp.json
Windsurf~/.config/windsurf/mcp.json, ~/.codeium/windsurf/mcp_config.json
VS Code.vscode/mcp.json, ~/Library/Application Support/Code/User/mcp.json
Zed~/.zed/settings.json, ~/.config/zed/settings.json
Gemini CLIGemini-specific config paths
Amazon QAmazon Q CLI config paths
JetBrainsIDE-specific MCP config
OthersOpenCode, Amp, Kilo Code, Roo Code, Cline, Augment, Copilot CLI
Genericmcp.json, mcp-config.json
The CLI automatically detects the config format (Claude Desktop, Cursor, VS Code, etc.) and normalizes it before scanning.

Output Formats

Table (default)

Color-coded terminal output with a findings table and summary: 
Igris Security Scan
Score: 4.0/10 (Grade: D)

┌──────────┬───────────┬──────────┬──────────────────────────────┐
│ Server   │ Field     │ Severity │ Title                        │
├──────────┼───────────┼──────────┼──────────────────────────────┤
│ my-db    │ env.TOKEN │ Critical │ Hardcoded API key detected   │
│ my-db    │ command   │ High     │ Shell wrapper command        │
└──────────┴───────────┴──────────┴──────────────────────────────┘

2 findings (1 critical, 1 high)

JSON

Machine-readable output for CI/CD pipelines: 
{
  "score": 4.0,
  "grade": "D",
  "findings": [
    {
      "id": "AG-CRD-001-1",
      "detectorId": "credential-scanner",
      "severity": "critical",
      "title": "Hardcoded API key detected",
      "serverName": "my-db",
      "location": { "server": "my-db", "field": "env.TOKEN" },
      "remediation": "Use environment variable reference instead"
    }
  ],
  "metadata": { "version": "0.1.0", "detectorsRun": 10 }
}

SARIF

SARIF 2.1 format for integration with GitHub Code Scanning, Azure DevOps, and other SARIF-compatible tools: 
igris scan --format sarif > results.sarif

Exit Codes

CodeMeaning
0No findings at or above --fail-on level
1Findings detected at or above --fail-on level
2CLI error (missing file, bad config, unknown rule)

Configuration File

Create an .igrisrc file in your project root (or any ancestor directory) to set default options: 
{
  "severity": "medium",
  "format": "table",
  "fail-on": "high",
  "verbose": false,
  "rules": {
    "disabled": ["AG-VER-004", "AG-AUDIT-002"],
    "config": {
      "AG-CRD-001": { "severity": "low" }
    }
  },
  "suppressions": [
    {
      "rule": "AG-CRD-002",
      "serverName": "dev-server",
      "reason": "Known false positive — test credential",
      "expires": "2026-12-31"
    }
  ]
}
Configuration priority (highest to lowest):
  1. CLI flags (--severity, --disable, etc.)
  2. .igrisrc file
  3. Default values

CI/CD Integration

GitHub Actions

- name: Scan MCP configs
  run: bunx igris scan --auto --format sarif --fail-on high > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Pre-commit Hook

#!/bin/sh
bunx igris scan .mcp.json --fail-on high --no-banner