Skip to main content

CLI arguments

Running a policy check

The minimum input that's required to trigger a policy check is to use the command datree test and to provide a Kubernetes configuration file path or a glob pattern:

$ datree test kube-prod/deployment.yaml
$ datree test kube-*/*.yaml
Recursive globbing

Testing all files recursively (also within subdirectories) is not supported automatically by all shells.
To enable this feature in bash, make sure your bash version is 4 or higher, and run the following command in your terminal:
shopt -s globstar
or use the following workaround for bash version 3 or lower:
find . -name '*.yaml' -print0 | xargs -0 datree test
For more information, see the bash documentation


Flags

The following flags for the datree test command allow you to change the behavior of each part of the policy check:

YAML validation flags:

FlagAliasValuesDescription
--only-k8s-files            N/AN/ASkip all non-K8s files. Especially useful when scanning a dir with K8s and other config files: datree test *.yaml --only-k8s-files

Kubernetes schema validation flags:

FlagAliasValuesDescription
--schema-version-se.g. "1.20.0"Set Kubernetes version to validate against. Default can also be changed from the dashboard
--schema-locationN/Ae.g. "http://example.com/schema.json"Override Kubernetes schema location. See relevant page for more information.
--ignore-missing-schemasN/AN/ASkip files with missing schemas instead of failing the schema validation check
--permissive-schemaN/AN/AAllow duplicated keys and/or additional properties that are not part of the schema

Policy check flags:

FlagAliasValuesDescription
--policy-pe.g. stagingSpecify which policy to execute (by policy name)
--no-recordN/AN/ADon’t send policy checks metadata to the backend
--policy-configN/Ae.g. "myPolicyConfig.yaml"Specify a path to a local policies-configuration file

Output flags:

FlagAliasValuesDescription
--output-ojson, yaml, xml, JUnit, sarifOutput the policy check results in the requested format
--output-osimpleOutput the policy check results in simple text (without emoji or colors)
--verboseN/AN/ADisplay 'How to Fix' link for failed rules in output
--save-renderedN/AN/ADon't delete rendered files after the policy check (e.g helm, kustomize)

Additional options

Built-in Kustomize support

Run datree kustomize test [path] to render resources defined in a kustomization.yaml file located in [path] and run a policy check against them. For more information, options and examples, see the Kustomize support page.


Publish policy-as-code configuration

When using Policy as code mode, the command datree publish fileName.yaml will publish policies configuration for given fileName. Input should be the path to the Policy-as-Code yaml configuration file.


Configure the CLI via the config.yaml file

After running your first policy check, a default config file will be created (defaults to $HOME/.datree/config.yaml) with the following contents:

client_id: [your client ID]
offline: fail
token: [your token]

The command datree config allows you to manage the config file.
Use datree config set to change the value of the following keys in the file:

  1. token - the token used to link the CLI to your dashboard.
$ datree config set token NEW_TOKEN
  1. offline - determines how your CLI will behave when there is no active internet connection.
    By default, when executing a policy check, the CLI attempts to pull your policy from your dashboard. If there is no internet connection, the default behavior (fail) will cause the CLI to exit with an error without performing the policy check.
    When in offline-mode, you will need to instruct the CLI to use a local policy file instead. Set the value to local by running the following command:
$ datree config set offline local

Upgrade the CLI to the latest version

To upgrade your CLI, simply run datree upgrade.


To print your CLI version, run datree version.


Open the documentation website

Run datree docs to open the Datree documentation website in your browser.


Shell autocompletion

The CLI supports autocompletion for commands when using various shells.
Run datree completion -h to see which shells are supported and how to enable autocompletion for each of them.
For your convenience, the instructions are laid out here as well. Simply choose the shell of your choice:

Run the following command:
source <(datree completion bash)

To load completions for each session, run the following command once:
Linux:
datree completion bash > /etc/bash_completion.d/datree
MacOS:
datree completion bash > /usr/local/etc/bash_completion.d/datree
tip

Alternatively, autocompletion for the Datree CLI is also available automatically as a part of Fig.
To install Fig, visit the autocomplete github repository.