Skip to content

Workspace Instructions

Jump to bottom
WebbinRoot edited this page Apr 2, 2026 · 1 revision

Workspace Instructions

This page documents the interactive workspace menu and command groups you use after startup.

If you are still setting up authentication, start with Authentication Reference first.

Command Map

Command Group Purpose Common Subcommands
creds Inspect/swap credentials me, me-full, list, list-full, db-row, swap
modules Discover and execute modules list, search, run
compartments Manage scan target scope list, add, set, rm
data Export/query/wipe local SQLite data export, sql, wipe-service
configs Workspace runtime defaults list, set, unset, regions list
oci Pass-through OCI CLI execution oci <args...>
help, ?, exit, quit Session control n/a

Workspace Menu Commands

creds

  • creds me
    • Show active credential summary.
  • creds me-full
    • Show active credential including sensitive fields.
  • creds list
    • List all credentials in workspace.
  • creds list-full
    • List all credentials including sensitive fields.
  • creds db-row [credname]
    • Print raw stored credential JSON for one credential.
  • creds swap [credname]
    • Swap active credential (interactive picker if omitted).

modules

  • modules list
    • List available modules.
  • modules search <keyword>
    • Search module names/descriptions.
  • modules run <module_name> [module args...]
    • Run any module with module-specific flags.

Example:

modules run enum_all --comp --save --download

compartments

  • compartments list
    • Print known tenancy/compartment tree.
  • compartments add <compartment_ocid>
    • Add a compartment to known list.
  • compartments set [<compartment_ocid>]
    • Set current compartment. If omitted, an interactive picker opens.
  • compartments rm <compartment_ocid>
    • Remove a known compartment from the local list.

data

  • data export <csv|json|excel|treeimage> [--out-dir ...] [--out-file ...]
    • Export service DB data and hierarchy artifacts.
  • data sql --db <service|metadata> "<SQL>"
    • Query SQLite directly.
  • data wipe-service [--all-workspaces] [--yes]
    • Delete rows from service DB tables (with confirmation by default).

Example:

data sql --db service "SELECT * FROM identity_policies LIMIT 20"

configs

Use configs to control workspace defaults and runtime behavior.

  • configs list
    • Show all config keys and effective values.
  • configs set <key> <value>
    • Set a config value.
  • configs unset <key>
    • Reset a key to its default.
  • configs regions list
    • List known OCI regions. Current default region is highlighted.

Config Keys

Key Purpose Allowed Values Default
proxy Global HTTP(S) proxy for module runs without explicit run proxy. URL / host:port None
current_default_region Workspace default OCI region. OCI region string ""
module_auto_save Module save behavior when --save/--no-save is not explicitly passed. true, false true
rate_limit_seconds Base delay between API calls. non-negative float 0.0
rate_limit_jitter_seconds Jitter added to base rate limit. non-negative float 0.0
api_logging_enabled Enable API telemetry logging. true, false false
api_logging_file_path Override telemetry log file path. filesystem path auto path under ./ocinferno_output/<workspace>/tool_logs/
api_logging_verbosity Telemetry detail level. basic, standard, verbose standard
api_logging_attributes CSV list of telemetry fields to emit. comma-separated attributes built-in default attribute set
std_output_format Terminal output rendering style. table, txt table

Notes:

  • Unknown values for current_default_region are accepted with a warning (supports private/dedicated regions).
  • Legacy key alias current_region is still accepted and mapped to current_default_region.

Module Save and Cache Behavior

  • Modules auto-save to local SQLite during enumeration when module_auto_save=true (default), unless you explicitly pass --no-save.
  • Because of that local persistence, some module workflows can rely on previously saved data/cache if an initial list/discovery call fails (module-dependent behavior).
  • If you need to target a specific resource directly, many modules support explicit OCID flags in the form --<resource_name> <ocid>.
  • Always check the module definition/flags for exact supported parameter names before running (modules list, module source, or module help output).

oci Pass-Through

You can run raw OCI CLI commands directly from OCInferno:

oci iam policy list --compartment-id <tenancy_ocid> --all

This executes the local oci binary outside of ocinferno.

Common Workspace Flows

Baseline setup

configs set current_default_region us-phoenix-1
configs set module_auto_save true
configs set api_logging_enabled true
configs set api_logging_verbosity standard

Route module traffic through a local proxy (ex. 127.0.0.1:8080)

Set a workspace default proxy for all module runs:

configs set proxy http://127.0.0.1:8080
configs list

Override proxy for only one run:

modules run enum_identity --proxy http://127.0.0.1:8080

Disable the workspace default proxy later:

configs unset proxy

Scope, enumerate, and validate

compartments list
compartments set
modules run enum_all --comp --save
data sql --db service "SELECT * FROM identity_policies LIMIT 20"

Export reporting artifacts

data export json
data export excel
data export treeimage

Home | Getting Started | Auth | Workspace | CLI Modules | Downloads to Disk | Data View/Export | OpenGraph - Node/Edge Tables | OpenGraph - Default Priv Escalation Mode | OpenGraph - IAM Conditionals | OpenGraph - Inheritance & IncludeAll | ConfigChecker - Static Config Checks

OCInferno Wiki

Core Operations

Graph and Security

Config Checks

Project

Clone this wiki locally