Skip to content
CLI to interact with Kondukto
Go Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Kondukto logo


KDT is a command line client for Kondukto written in Go. It interacts with Kondukto engine through public API.

With KDT, you can list projects and their scans in Kondukto, and restart a scan with a specific application security tool. KDT is also easy to use in CI/CD pipelines to trigger scans and break releases if a scan fails or scan results don't met specified release criteria.

What is Kondukto?

Kondukto is an Application Security Testing Orchestration platform that helps you centralize and automate your entire AppSec related vulnerability management process. Providing an interface where security health of applications can be continuously monitored, and a command line interface where your AppSec operations can be integrated into DevOps pipelines, Kondukto lets you manage your AppSec processes automatically with ease.


You can install the CLI with a curl utility script or by downloading the pre-compiled binary from the Github release page. Once installed youl'll get the kdt-cli command and kdt alias.

Utility script with curl:

$ curl -sSL | sudo sh

Non-root with curl:

$ curl -sSL | sh


To install the kdt-cli on Windows go to Releases and download the latest kdt-cli.exe.

Or you can also simply run the following if you have an existing Go environment:

go get

If you want to build it yourself, clone the source files using Github, change into the kdt directory and run:

git clone
cd kdt
go install


KDT needs Kondukto host and an API token for authentication. API tokens can be created under Integrations/API Tokens menu.

You can provide configuration by:

1) Setting environment variables:

(example is for BASH shell)

$ export KONDUKTO_HOST=http://localhost:8080

It is always better to set environment variables in shell profile files(~/.bashrc, ~/.zshrc, ~/.profile etc.)

2) Providing a configuration file.

Default path for config file is $HOME/.kdt.yaml. Another file can be provided with --config command line flag.

// $HOME/.kdt.yaml 
host: http://localhost:8088
token: WmQ2eHFDRzE3elplN0ZRbUVsRDd3VnpUSHk0TmF6Uko5OGlyQ1JvR2JOOXhoWEFtY2ZrcDJZUGtrb2tV
3) Using command line flags
kdt list projects --host http://localhost:8088 --token WmQ2eHFDRzE3elplN0ZRbUVsRDd3VnpUSHk0TmF6Uko5OGlyQ1JvR2JOOXhoWEFtY2ZrcDJZUGtrb2tV


Most KDT commands are straightforward.

To list projects: kdt list projects

To list scans of a project: kdt list scans -p ExampleProject

To restart a scan, you can use one of the following:

  • id of the scan: kdt scan -s 5da6cafa5ab6e436faf643dc

  • project and tool names: kdt scan -p ExampleProject -t ExampleTool

To import scan results as a file: kdt scan -p ExampleProject -t ExampleTool -b master

Command Line Flags

KDT has several helpful flags to manage scans.

Global flags

Following flags are valid for all commands of KDT.

--host: HTTP address of Kondukto server with port

--token: API token generated by Kondukto

--config: Configuration file to use instead of default one($HOME/.kdt.yaml)

--async: Starts an asynchronous scan that won't block process to wait for scan to finish. KDT will exit gracefully when scan gets started successfully.

--insecure: If provided, client skips verification of server's certificates and host name. In this mode, TLS is susceptible to man-in-the-middle attacks. Not recommended unless you really know what you are doing!

-v or --verbose: Prints more and detailed logs. Useful for debugging.

Scan Commands Flags

Following flags are only valid for scan commands.

-p or --project for providing project name or id

-t or --tool for providing tool name

-s or --scan-id for providing scan id

-b or --branch for providing branch to scan

Threshold flags

These flags represent maximum number of vulnerabilities with specified severity to ignore. If these threshold are crossed, KDT will exit with non-zero status code.





--threshold-risk for failing tests if the scan causes a higher risk score than the last scan's risk score. Useful for keeping a project's security level under control. If used with every scan in DevOps pipelines, you will make sure that the project will never get more vulnerable.

Risk threshold considers only the last two scans with the same tool. If the project does not have a scan with the tool, KDT will fail since it will not be able to compare risk scores.

Threshold flags don't work with --async flag since KDT will exit when scan gets started, and won't be able to check scan results

Example Usage:

kdt scan -p SampleProject -t SampleTool --threshold-crit 3 --threshold-high 10 --threshold-risk

Contributing to KDT

If you wish to get involved in KDT development, create issues for problems and missing features or fork the repository and create pull requests to help the development directly.

Before sending your PRs:

  • Create and name your branches according to Git Flow methodology.

    For new features: feature/example-feature-branch

    For bug fixes: bugfix/example-bugfix-branch

  • Properly document your code following idiomatic Go practices. Exported functions should always be commented.

  • Write detailed PR descriptions and comments

You can’t perform that action at this time.