CLI Reference

Aquilon DLP provides command-line tools for testing, validating, and debugging your DLP configuration before deploying to production.

Quick Reference

Command	Purpose
`--validate-config`	Validate configuration file syntax and references
`--list-scanners`	List all available scanners (built-in + custom)
`--list-policies`	List all available policies (built-in + custom)
`--test-scanner`	Test a specific scanner against a file
`--test-policy`	Test a specific policy against a file
`--dry-run`	Scan a file without database persistence
`--maintenance-now`	Run database maintenance immediately

Configuration Validation

--validate-config

Validates your configuration file for syntax errors, invalid regex patterns, and missing scanner references.

Syntax:

aquilon-dlp --validate-config <config-file>

Example:

aquilon-dlp --validate-config /etc/aquilon/config.toml

Output: Returns exit code 0 if valid, non-zero with error details if invalid.

Use when:

After editing configuration files
Before deploying configuration changes
Validating custom scanner regex patterns

Discovery Commands

--list-scanners

Lists all available scanners including built-in scanners and any custom scanners defined in your configuration.

Syntax:

aquilon-dlp --list-scanners [--config <config-file>]

Example:

aquilon-dlp --list-scanners

Sample output:

ssn
credit_card
email
phone
iban
ip_address
aws_key
custom:employee_id

Built-in scanners include:

ssn - US Social Security Numbers
credit_card - Credit/debit card numbers (Visa, MC, Amex, etc.)
email - Email addresses
phone - Phone numbers (US and international)
iban - International Bank Account Numbers
ip_address - IPv4 and IPv6 addresses
aws_key - AWS access keys and secrets
And more…

--list-policies

Lists all available policies including built-in compliance frameworks and any custom policies defined in your configuration.

Syntax:

aquilon-dlp --list-policies [--config <config-file>]

Example:

aquilon-dlp --list-policies

Sample output:

hipaa
gdpr
pci_dss
sox
ccpa
iso27001
custom:internal_data

Built-in policies include:

hipaa - Health Insurance Portability and Accountability Act
gdpr - General Data Protection Regulation
pci_dss - Payment Card Industry Data Security Standard
sox - Sarbanes-Oxley Act
ccpa - California Consumer Privacy Act
iso27001 - ISO/IEC 27001 Information Security

Testing Commands

--test-scanner

Tests a specific scanner against a file and outputs JSON results with any findings.

Syntax:

aquilon-dlp --test-scanner <scanner-name> --test-file <file-path>

Example:

aquilon-dlp --test-scanner ssn --test-file /var/test-data/sample-data.csv

Output: JSON with findings array:

{
  "scanner": "ssn",
  "file": "/tmp/test-ssn.txt",
  "findings": [
    {
      "matched_text": "123-45-6789",
      "position": 10,
      "confidence": 0.85,
      "redacted_text": "XXX-XX-6789"
    }
  ],
  "duration_ms": 5
}

Use when:

Developing custom scanners
Debugging detection issues
Verifying scanner behavior

--test-policy

Tests a specific policy against a file and outputs JSON results with any violations.

Syntax:

aquilon-dlp --test-policy <policy-name> --test-file <file-path>

Example:

aquilon-dlp --test-policy gdpr --test-file /var/test-data/sample-data.csv

Output: JSON with policy evaluation results:

{
   "policy": "gdpr",
   "file": "/var/test-data/sample-data-csv.tgz",
   "matched": true,
   "violations": [
      {
         "rule_id": "Article-4",
         "description": "Unprotected personal data detected - email address violates GDPR requirements",
         "severity": "Medium",
         "evidence_count": 1
      },
      {
         "rule_id": "Article-32",
         "description": "Unprotected financial personal data detected - violates GDPR security requirements",
         "severity": "High",
         "evidence_count": 1
      }
   ],
   "total_findings": 2,
   "scan_duration_ms": 19
}

Use when:

Developing custom policies
Testing policy rules
Verifying compliance detection

--dry-run

Scans a file using all configured scanners and policies without persisting to the database. Outputs JSON results to stdout.

Syntax:

aquilon-dlp --dry-run <file-path> [--config <config-file>]

Example:

aquilon-dlp --dry-run /var/test-data/sample-data.csv

Output: JSON with complete scan results:

{
   "file": "/var/test-data/sample-data-csv",
   "mime_type": "application/octet-stream",
   "file_size_bytes": 2929,
   "scan_duration_ms": 1648,
   "findings": [
      {
         "scanner": "PCI-DSS_policy",
         "matched_text": "xxxx-xxxx-xxxx-5516, xxxx-xxxx-xxxx-3020, xxxx-xxxx-xxxx-6147",
         "position": 0,
         "confidence": 1.0,
         "pattern_type": "cc",
         "redacted": "xxxx-xxxx-xxxx-5516, xxxx-xxxx-xxxx-3020, xxxx-xxxx-xxxx-6147"
      },
      {
         "scanner": "GDPR_policy",
         "matched_text": "xxxx-xxxx-xxxx-5516, xxxx-xxxx-xxxx-3020, xxxx-xxxx-xxxx-6147",
         "position": 0,
         "confidence": 1.0,
         "pattern_type": "cc",
         "redacted": "xxxx-xxxx-xxxx-5516, xxxx-xxxx-xxxx-3020, xxxx-xxxx-xxxx-6147"
      }
   ],
   "policies_matched": [
      "GDPR",
      "PCI-DSS"
   ],
   "total_findings": 2
}

Use when:

Testing files before enabling monitoring
Debugging why files are (or aren’t) flagged
One-off scans without affecting database
CI/CD pipeline integration

Maintenance Commands

--maintenance-now

Runs database maintenance tasks immediately and exits. This includes cleanup of old findings, cache eviction, and vacuum operations.

Syntax:

aquilon-dlp --maintenance-now [--config <config-file>]

Example:

aquilon-dlp --maintenance-now --config /etc/aquilon/config.toml

Output: JSON with maintenance results:

{
  "soft_deleted": 42,
  "hard_deleted": 15,
  "cache_evicted": 128,
  "pages_vacuumed": 1000,
  "duration_ms": 234,
  "errors": []
}

Use when:

Before database backups
After bulk data imports
To reclaim disk space immediately
Troubleshooting database issues

Testing Workflow

When developing custom scanners or policies, use this recommended workflow:

Validate configuration after any changes:

aquilon-dlp --validate-config /etc/aquilon/config.toml

List available scanners to verify custom scanners loaded:

aquilon-dlp --list-scanners --config /etc/aquilon/config.toml

Test individual scanner against sample files:

aquilon-dlp --test-scanner my_custom_scanner --test-file sample.txt

Test policy to verify detection rules:

aquilon-dlp --test-policy my_policy --test-file sample.txt

Dry-run scan to see full results:

aquilon-dlp --dry-run sample.txt --config /etc/aquilon/config.toml

Platform Notes

The binary name varies by platform and edition:

Platform	Edition	Binary Name
Linux	Basic	`aquilon-dlp-basic`
Linux	Enterprise	`aquilon-dlp-enterprise`
macOS	Enterprise	`aquilon-dlp` (in app bundle)

Examples in this documentation use aquilon-dlp for simplicity. Substitute with your platform-specific binary name.

Keyboard shortcuts

Aquilon DLP Documentation