# CLI Reference Full command reference for `vmware-harden`. Source of truth: `vmware_harden/cli/`. The CLI is a Typer app with six top-level command groups: `scan`, `report`, `baseline`, `drift`, `advise`, `web`. Run `vmware-harden --help` for the auto-generated overview. ## scan Run a compliance scan against a target. The scan loads the baseline, collects evidence via the upstream `vmware-aiops` collectors, evaluates rules, persists the snapshot to the Twin DuckDB, and computes drift versus the previous snapshot for the same target. ### Synopsis ```bash vmware-harden scan --target [--baseline ] [--db ] ``` ### Options | Flag | Description | Default | |------|-------------|---------| | `--target` | vCenter target name from upstream `vmware-aiops` config. | (required) | | `--baseline` | Built-in or imported baseline id. | `cis-vmware-esxi-8.0-subset` | | `--db` | Twin DuckDB path. | `~/.vmware-harden/twin.duckdb` | ### Examples ```bash # Default CIS subset vmware-harden scan --target lab-vc01 # 等保 2.0 三级 against production vmware-harden scan --target prod-vc --baseline dengbao-2.0-level3-vmware # Custom DB path (e.g. CI artifact) vmware-harden scan --target lab-vc01 --db /tmp/ci-twin.duckdb ``` The scan prints one line per collector with the count of entities gathered, then the total violation count. Drift events versus the prior snapshot are persisted automatically when a previous snapshot exists for the same `--target`. ## report Show the most recent snapshot's violations. ### Synopsis ```bash vmware-harden report [--db ] [--format text|json] ``` ### Options | Flag | Description | Default | |------|-------------|---------| | `--db` | Twin DuckDB path. | `~/.vmware-harden/twin.duckdb` | | `--format` | Output format — `text` or `json`. | `text` | > HTML rendering is **not** a CLI flag; use `vmware-harden web` for the > rendered dashboard. ### Examples ```bash vmware-harden report vmware-harden report --format json > violations.json ``` If no scans have run yet, the command prints a hint to run `vmware-harden scan` first and exits 0. ## baseline Manage compliance baselines. Built-ins ship inside the package; user imports live under `~/.vmware-harden/baselines/`. ### baseline list ```bash vmware-harden baseline list ``` Prints one baseline id per line (built-ins + imports). No options. ### baseline validate Validate a YAML file against the baseline schema **without** importing. ```bash vmware-harden baseline validate ``` | Argument | Description | |----------|-------------| | `path` | YAML file to validate. | Exit codes: `0` ok, `1` validation error, `2` file not found. ### baseline import Validate, then copy a YAML file into `~/.vmware-harden/baselines/`. Invalid files are never persisted. ```bash vmware-harden baseline import [--name ] ``` | Flag | Description | Default | |------|-------------|---------| | `path` | YAML file to import. | (required, positional) | | `--name` | Override destination filename stem. | source filename stem | ### Examples ```bash vmware-harden baseline list vmware-harden baseline validate ./my-corp.yaml vmware-harden baseline import ./my-corp.yaml --name corp-prod ``` ## drift Show drift events from the most recent snapshot relative to its prior snapshot for the same target. (Drift is computed and persisted by `scan`; this command only renders.) ### Synopsis ```bash vmware-harden drift [--db ] [--format text|json] ``` ### Options | Flag | Description | Default | |------|-------------|---------| | `--db` | Twin DuckDB path. | `~/.vmware-harden/twin.duckdb` | | `--format` | `text` or `json`. | `text` | ### Examples ```bash vmware-harden drift vmware-harden drift --format json | jq '.[] | select(.field == "ntp.servers")' ``` If no scans exist, the command prints a hint and exits 0. If no drift was detected versus the prior snapshot, it prints `No drift detected since previous snapshot.` ## advise Generate LLM-driven remediation suggestions for one or all critical violations of the latest snapshot. Persists each suggestion to the Twin so `report` / `get_remediation` can return it later. ### Synopsis ```bash vmware-harden advise (--violation-id | --all-critical) [--db ] ``` ### Options | Flag | Description | Default | |------|-------------|---------| | `--violation-id` | Single violation id to advise on. | — | | `--all-critical` | Advise on every `severity=critical` violation in the latest snapshot. | `false` | | `--db` | Twin DuckDB path. | `~/.vmware-harden/twin.duckdb` | You must pass exactly one of `--violation-id` or `--all-critical`; otherwise the command exits 2. ### LLM provider selection | Condition | Provider | |-----------|----------| | `ANTHROPIC_API_KEY` is set | `AnthropicProvider` (real LLM) | | `ANTHROPIC_API_KEY` is unset | `MockProvider` with a deterministic canned response, plus a stderr warning | ### Examples ```bash export ANTHROPIC_API_KEY=sk-ant-... vmware-harden advise --violation-id v-cis-1.1.1-host-esxi-01 # Bulk advise everything critical vmware-harden advise --all-critical ``` ## web Serve the FastAPI + Jinja2 read-only dashboard via uvicorn. ### Synopsis ```bash vmware-harden web [--db ] [--host ] [--port ] ``` ### Options | Flag | Description | Default | |------|-------------|---------| | `--db` | Twin DuckDB path. | `~/.vmware-harden/twin.duckdb` | | `--host` | Bind address. | `127.0.0.1` | | `--port` | Bind port. | `8080` | ### Examples ```bash vmware-harden web # http://127.0.0.1:8080/ vmware-harden web --host 0.0.0.0 --port 9000 ``` Exits 1 with a message if the Twin DuckDB does not exist; run a scan first. ## MCP server entry point Registered as a separate console script: ```bash vmware-harden-mcp # FastMCP stdio server (used by MCP clients) ``` Configure your MCP client to spawn `vmware-harden-mcp` directly. See `references/setup-guide.md` for full client configurations.