Igris CLI

The Igris CLI is your terminal interface for MCP governance. It scans configs for security issues, sets up the Igris proxy with one command, monitors sessions, and manages policies — all from the terminal.

Installation

bun add -g @igris/cli

Or run directly without installing:

bunx igris scan --auto

Commands

Run igris with no subcommand to open the interactive menu:

igris

The menu offers four options:

Setup proxy for MCP servers — discover, scan, and proxy your MCP configs
Scan configs for security issues — run the scanner across all configs
View sessions & status — see active sessions and recent events
Manage policies — view governance policies

Authenticate with your Igris API key:

# Interactive login — prompts for API key and URL
igris login

# Check current identity
igris whoami

# Remove stored credentials
igris logout

Credentials are stored in ~/.igris/credentials.json.

`init`

Interactive proxy setup wizard. Discovers MCP configs, scans them, registers servers, and rewrites configs to route through the Igris proxy.

# Interactive mode — prompts for selection
igris init

# Non-interactive — proxy all discovered network servers
igris init --yes

The wizard:

Checks authentication (prompts for API key if needed)
Discovers MCP configs across 42+ locations
Runs a security scan on selected configs
Identifies which servers can be proxied (skips stdio servers)
Detects already-proxied servers (no double-proxying)
Registers servers with the Igris API
Backs up original configs to ~/.igris/backups/
Rewrites configs with proxy URLs

`status`

Show active sessions and recent audit events:

igris status

`policy list` / `policy get`

View governance policies from the CLI:

# List all policies
igris policy list

# Show details for a specific policy
igris policy get <policy-id>

`proxy uninstall`

Restore original MCP configs from a backup:

igris proxy uninstall

Lists available backups (newest first), lets you select one, and restores the original config files. Optionally removes registered servers from the Igris API.

`scan`

Scan one or more MCP configuration files.

# Scan a specific file
igris scan ~/.claude/claude_desktop_config.json

# Auto-discover and scan all known config locations
igris scan --auto

# JSON output for CI/CD
igris scan --format json --json-pretty

# Only show high and above
igris scan --severity high

# Fail CI if critical findings exist
igris scan --fail-on critical

# Disable specific rules
igris scan --disable AG-CRD-002,AG-VER-004

# Use a config file
igris scan --config .igrisrc

Options:

Flag	Default	Description
`[path]`	auto	Path to MCP config file
`--format`	`table`	Output format: `table`, `json`, `sarif`
`--severity`	`low`	Minimum severity to show
`--fail-on`	`high`	Exit code 1 if findings at this level or above
`--verbose`	`false`	Show full details and remediation text
`--no-color`	`false`	Disable ANSI colored output
`--auto`	`false`	Auto-discover all known config locations
`--json-pretty`	`false`	Pretty-print JSON output
`--config`	auto	Path to `.igrisrc` config file
`--disable`	—	Comma-separated rule IDs to skip
`--no-banner`	`false`	Suppress upgrade nudge banner

`rules list`

List all available detection rules.

# All rules
igris rules list

# Filter by severity
igris rules list --severity high

# Filter by detector
igris rules list --detector credential-scanner

`rules info`

Show details for a specific rule.

igris rules info AG-CRD-001

Output includes the rule title, severity, description, detector, and references (CWE/OWASP links).

Auto-Discovery

When you run igris scan --auto, the CLI checks 42 known config locations across all major MCP clients:

Client	Config Locations
Claude Desktop	`~/.claude/claude_desktop_config.json`
Claude Code	`~/.claude.json`, `~/.claude/settings.json`, `.mcp.json`
Cursor	`~/.cursor/mcp.json`
Windsurf	`~/.config/windsurf/mcp.json`, `~/.codeium/windsurf/mcp_config.json`
VS Code	`.vscode/mcp.json`, `~/Library/Application Support/Code/User/mcp.json`
Zed	`~/.zed/settings.json`, `~/.config/zed/settings.json`
Gemini CLI	Gemini-specific config paths
Amazon Q	Amazon Q CLI config paths
JetBrains	IDE-specific MCP config
Others	OpenCode, Amp, Kilo Code, Roo Code, Cline, Augment, Copilot CLI
Generic	`mcp.json`, `mcp-config.json`

The CLI automatically detects the config format (Claude Desktop, Cursor, VS Code, etc.) and normalizes it before scanning.

Output Formats

Table (default)

Color-coded terminal output with a findings table and summary:

Igris Security Scan
Score: 4.0/10 (Grade: D)

┌──────────┬───────────┬──────────┬──────────────────────────────┐
│ Server   │ Field     │ Severity │ Title                        │
├──────────┼───────────┼──────────┼──────────────────────────────┤
│ my-db    │ env.TOKEN │ Critical │ Hardcoded API key detected   │
│ my-db    │ command   │ High     │ Shell wrapper command        │
└──────────┴───────────┴──────────┴──────────────────────────────┘

2 findings (1 critical, 1 high)

JSON

Machine-readable output for CI/CD pipelines:

{
  "score": 4.0,
  "grade": "D",
  "findings": [
    {
      "id": "AG-CRD-001-1",
      "detectorId": "credential-scanner",
      "severity": "critical",
      "title": "Hardcoded API key detected",
      "serverName": "my-db",
      "location": { "server": "my-db", "field": "env.TOKEN" },
      "remediation": "Use environment variable reference instead"
    }
  ],
  "metadata": { "version": "0.1.0", "detectorsRun": 10 }
}

SARIF

SARIF 2.1 format for integration with GitHub Code Scanning, Azure DevOps, and other SARIF-compatible tools:

igris scan --format sarif > results.sarif

Exit Codes

Code	Meaning
`0`	No findings at or above `--fail-on` level
`1`	Findings detected at or above `--fail-on` level
`2`	CLI error (missing file, bad config, unknown rule)

Configuration File

Create an .igrisrc file in your project root (or any ancestor directory) to set default options:

{
  "severity": "medium",
  "format": "table",
  "fail-on": "high",
  "verbose": false,
  "rules": {
    "disabled": ["AG-VER-004", "AG-AUDIT-002"],
    "config": {
      "AG-CRD-001": { "severity": "low" }
    }
  },
  "suppressions": [
    {
      "rule": "AG-CRD-002",
      "serverName": "dev-server",
      "reason": "Known false positive — test credential",
      "expires": "2026-12-31"
    }
  ]
}

Configuration priority (highest to lowest):

CLI flags (--severity, --disable, etc.)
.igrisrc file
Default values

CI/CD Integration

GitHub Actions

- name: Scan MCP configs
  run: bunx igris scan --auto --format sarif --fail-on high > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Pre-commit Hook

#!/bin/sh
bunx igris scan .mcp.json --fail-on high --no-banner

Getting Started

LLM Gateway

SDK & Gateway

MCP Governance

API

Igris Scanner

CLI

Igris CLI

Installation

Commands

`igris` (Interactive Menu)

`init`

`status`

`policy list` / `policy get`

`proxy uninstall`

`scan`

`rules list`

`rules info`

Auto-Discovery

Output Formats

Table (default)

JSON

SARIF

Exit Codes

Configuration File

CI/CD Integration

GitHub Actions

Pre-commit Hook

Getting Started

LLM Gateway

SDK & Gateway

MCP Governance

API

Igris Scanner

Documentation Index

​Igris CLI

​Installation

​Commands

​igris (Interactive Menu)

​login / logout / whoami

​init

​status

​policy list / policy get

​proxy uninstall

​scan

​rules list

​rules info

​Auto-Discovery

​Output Formats

​Table (default)

​JSON

​SARIF

​Exit Codes

​Configuration File

​CI/CD Integration

​GitHub Actions

​Pre-commit Hook

Igris CLI

Installation

Commands

`igris` (Interactive Menu)

`login` / `logout` / `whoami`

`init`

`status`

`policy list` / `policy get`

`proxy uninstall`

`scan`

`rules list`

`rules info`

Auto-Discovery

Output Formats

Table (default)

JSON

SARIF

Exit Codes

Configuration File

CI/CD Integration

GitHub Actions

Pre-commit Hook