All config.yaml values can be overridden or replaced entirely at the command line.
Usage
python sfhound.py [OPTIONS]
Run from the sf-opengraph/ directory.
Options reference
General
| Flag | Description | Default |
|---|
--help | Print help and exit | — |
--config PATH | Path to the YAML configuration file | config.yaml |
Salesforce credentials
| Flag | Description | Default |
|---|
--client-id TEXT | Connected App Consumer Key | From config |
--client-secret TEXT | Connected App Consumer Secret (if not using JWT) | From config |
--username TEXT | Salesforce username of the integration user | From config |
--private-key PATH | Path to the PEM private key for JWT authentication | From config |
--login-url URL | Salesforce login endpoint | https://login.salesforce.com |
--api-version TEXT | Salesforce API version string | v56.0 |
Output
| Flag | Description | Default |
|---|
--output-path PATH | Directory where the output JSON is written | ./opengraph_output |
BloodHound CE auto-ingest
| Flag | Description | Default |
|---|
--auto-ingest | Upload graph to BloodHound CE after export | Off |
--bh-url URL | BloodHound CE base URL | http://127.0.0.1:8080 |
--bh-username TEXT | BloodHound CE admin username | From config |
--bh-password TEXT | BloodHound CE admin password | From config |
Examples
Minimal — use config.yaml for everything
Override Salesforce credentials only
--client-id YOUR_CLIENT_ID \
--username user@example.com \
--private-key /path/to/salesforce_jwt.key
Sandbox org
python sfhound.py --login-url https://test.salesforce.com
Auto-ingest with all credentials on the command line (no config.yaml required)
--client-id YOUR_CLIENT_ID \
--username user@example.com \
--private-key ./salesforce_jwt.key \
--login-url https://login.salesforce.com \
--bh-url http://127.0.0.1:8080 \
--bh-password YOUR_BLOODHOUND_PASSWORD
Custom output directory
python sfhound.py --output-path /tmp/sfhound_$(date +%Y%m%d)
Override API version
python sfhound.py --api-version v60.0
Exit codes
| Code | Meaning |
|---|
0 | Success |
1 | Configuration or authentication error |
2 | Extraction error (partial data may have been written) |
3 | Auto-ingest failure (data was extracted but not uploaded) |
Environment variable support
All --flag arguments can optionally be read from environment variables using the SFHOUND_ prefix:
| Flag | Environment variable |
|---|
--client-id | SFHOUND_CLIENT_ID |
--username | SFHOUND_USERNAME |
--private-key | SFHOUND_PRIVATE_KEY |
--login-url | SFHOUND_LOGIN_URL |
--bh-password | SFHOUND_BH_PASSWORD |
Subcommands
examples/post_custom_icons.py
Registers custom BloodHound node icons for all SFHound node types.
python examples/post_custom_icons.py \
--bh-url http://127.0.0.1:8080 \
--bh-password YOUR_BLOODHOUND_PASSWORD
Must be run once after BloodHound CE is started. Safe to re-run (idempotent).