CLI Reference
Complete reference for every nat command.
Global flags
These flags are available on all commands:
| Flag | Short | Description |
|---|---|---|
--help | -h | Show help text |
--version | -v | Print NAT version and exit |
--verbose | Enable verbose/debug output | |
--config | -c | Path to config file (default: ~/.nat/config.yaml) |
--no-color | Disable ANSI color output | |
--json | Output command results as JSON |
nat scan
Run a security scan against a target API.
nat scan [flags]Required flags
| Flag | Description |
|---|---|
--url <url> | Base URL of the target API |
Discovery flags
| Flag | Description | Default |
|---|---|---|
--spec <path|url> | OpenAPI 3.x / Swagger 2.x spec | Auto-discover |
--depth <n> | Crawl depth for endpoint discovery | 3 |
--include <pattern> | Only test paths matching glob pattern | All paths |
--exclude <pattern> | Skip paths matching glob pattern | None |
--graphql | Enable GraphQL introspection and testing | Auto-detect |
Authentication flags
| Flag | Description |
|---|---|
--auth-type <type> | bearer, header, basic, oauth2, none |
--token <token> | Bearer token value |
--header <K:V> | Custom header (repeatable) |
--oauth2-token-url | OAuth2 token endpoint URL |
--oauth2-client-id | OAuth2 client ID |
--oauth2-client-secret | OAuth2 client secret |
--oauth2-scope | OAuth2 scopes (space-separated) |
Execution flags
| Flag | Description | Default |
|---|---|---|
--concurrency <n> | Parallel request count | 5 |
--timeout <s> | Per-request timeout (seconds) | 30 |
--rate-limit <n> | Max requests per second | Unlimited |
--max-requests <n> | Hard cap on total requests | Unlimited |
--dry-run | Discover endpoints only, no tests | false |
Output flags
| Flag | Description | Default |
|---|---|---|
--output <path> | Report output file path | ./nat-report.html |
--format <fmt> | html, json, sarif, markdown | html |
--severity <level> | Minimum severity to include in report | info |
--fail-on <level> | Exit with non-zero code if findings ≥ level | None |
--open | Open report in browser after scan | false |
Examples
# Basic scan
nat scan --url https://api.example.com
# Scan with OpenAPI spec, authenticated
nat scan \
--url https://api.example.com \
--spec ./openapi.yaml \
--auth-type bearer \
--token "$TOKEN"
# CI mode — fail build on high+ findings, SARIF output
nat scan \
--url https://staging.example.com \
--spec ./openapi.yaml \
--format sarif \
--output results.sarif \
--fail-on highnat demo
Run a complete demo scan against NAT's built-in example API.
nat demo [flags]| Flag | Description |
|---|---|
--no-browser | Don't open the report in a browser |
--output <path> | Save demo report to a specific path |
nat server
Manage the NAT local server (self-hosted mode).
nat server start
nat server start [flags]| Flag | Description | Default |
|---|---|---|
--port <n> | Listen port | 8080 |
--host <addr> | Bind address | 127.0.0.1 |
--data-dir <path> | Data and report storage directory | ~/.nat/data |
--daemon | Run as background daemon | false |
nat server stop
nat server stopStop a running background daemon.
nat server status
nat server statusShow server status, port, and uptime.
nat report
View or export scan reports.
nat report [flags]| Flag | Description | Default |
|---|---|---|
--scan-id <id> | Specific scan to report on | Latest |
--format <fmt> | html, json, sarif, markdown | html |
--output <path> | Output file path | ./nat-report.<fmt> |
--open | Open HTML report in browser | false |
--list | List all available scan reports | false |
nat auth
Manage NAT cloud authentication (SaaS plan).
nat auth login
nat auth login --key <api-key>nat auth logout
nat auth logoutnat auth status
nat auth statusnat config
Manage NAT configuration.
nat config show
nat config showPrint current configuration.
nat config set
nat config set <key> <value>Set a configuration value. Example:
nat config set scan.concurrency 10
nat config set scan.timeout 60nat config reset
nat config resetReset all configuration to defaults.
Configuration file
NAT reads configuration from ~/.nat/config.yaml by default. Override with --config <path>.
# ~/.nat/config.yaml
scan:
concurrency: 5
timeout: 30
depth: 3
default_format: html
server:
port: 8080
host: 127.0.0.1
data_dir: ~/.nat/data
auth:
api_key: "" # Set via `nat auth login` or NAT_API_KEY env varEnvironment variables
All configuration keys can be set via environment variables using the NAT_ prefix and _ separator:
| Variable | Equivalent config key |
|---|---|
NAT_API_KEY | auth.api_key |
NAT_SCAN_CONCURRENCY | scan.concurrency |
NAT_SCAN_TIMEOUT | scan.timeout |
NAT_SERVER_PORT | server.port |
NAT_SERVER_HOST | server.host |
NAT_DATA_DIR | server.data_dir |
NAT_LOG_LEVEL | log.level |
Environment variables take precedence over the config file.
Exit codes
| Code | Meaning |
|---|---|
0 | Success — scan completed, no findings at or above --fail-on level |
1 | Findings found at or above --fail-on severity level |
2 | Scan error (target unreachable, auth failure, etc.) |
3 | Configuration or usage error |