CLI Commands

All config.yaml values can be overridden or replaced entirely at the command line.

---

Usage

python sfhound.py [OPTIONS]

Run from the sf-opengraph/ directory.

---

Options reference

General

Flag	Description	Default
--help	Print help and exit	—
--config PATH	Path to the YAML configuration file	config.yaml

Salesforce credentials

Flag	Description	Default
--client-id TEXT	Connected App Consumer Key	From config
--client-secret TEXT	Connected App Consumer Secret (if not using JWT)	From config
--username TEXT	Salesforce username of the integration user	From config
--private-key PATH	Path to the PEM private key for JWT authentication	From config
--login-url URL	Salesforce login endpoint	https://login.salesforce.com
--api-version TEXT	Salesforce API version string	v56.0

Tip

Use --login-url https://test.salesforce.com for sandbox orgs.

Output

Flag	Description	Default
--output-path PATH	Directory where the output JSON is written	./opengraph_output

BloodHound CE auto-ingest

Flag	Description	Default
--auto-ingest	Upload graph to BloodHound CE after export	Off
--bh-url URL	BloodHound CE base URL	http://127.0.0.1:8080
--bh-username TEXT	BloodHound CE admin username	From config
--bh-password TEXT	BloodHound CE admin password	From config

---

Examples

Minimal — use config.yaml for everything

python sfhound.py

Override Salesforce credentials only

python sfhound.py \
  --client-id YOUR_CLIENT_ID \
  --username user@example.com \
  --private-key /path/to/salesforce_jwt.key

Sandbox org

python sfhound.py --login-url https://test.salesforce.com

Auto-ingest with all credentials on the command line (no config.yaml required)

python sfhound.py \
  --client-id YOUR_CLIENT_ID \
  --username user@example.com \
  --private-key ./salesforce_jwt.key \
  --login-url https://login.salesforce.com \
  --auto-ingest \
  --bh-url http://127.0.0.1:8080 \
  --bh-username admin \
  --bh-password YOUR_BLOODHOUND_PASSWORD

Custom output directory

python sfhound.py --output-path /tmp/sfhound_$(date +%Y%m%d)

Override API version

python sfhound.py --api-version v60.0

---

Exit codes

Code	Meaning
0	Success
1	Configuration or authentication error
2	Extraction error (partial data may have been written)
3	Auto-ingest failure (data was extracted but not uploaded)

---

Environment variable support

All --flag arguments can optionally be read from environment variables using the SFHOUND_ prefix:

Flag	Environment variable
--client-id	SFHOUND_CLIENT_ID
--username	SFHOUND_USERNAME
--private-key	SFHOUND_PRIVATE_KEY
--login-url	SFHOUND_LOGIN_URL
--bh-password	SFHOUND_BH_PASSWORD

Note

Environment variable support requires the python-dotenv package. If it is not installed, set variables in your shell before running.

---

Subcommands

examples/post_custom_icons.py

Registers custom BloodHound node icons for all SFHound node types.

python examples/post_custom_icons.py \
  --bh-url http://127.0.0.1:8080 \
  --bh-username admin \
  --bh-password YOUR_BLOODHOUND_PASSWORD

Must be run once after BloodHound CE is started. Safe to re-run (idempotent).