Command line guide

Start with help

Run the installed app binary directly from Terminal. Quote the path because the app name contains spaces.

'/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --help

The help output lists the current options, supported export formats, scan filtering, and test discovery commands.

Supported targets

The CLI accepts the same practical file types as the app.

• .app bundles
• .pkg installer packages
• .dmg disk images
• Binary executables
• Executable scripts

Export reports

Use --export json when another tool or AI agent will parse the report. Use --export txt when a person will read it.

'/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --export json --target "/Applications/Example.app" --output "$HOME/Desktop/example-report.json"

'/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --export txt --target "$HOME/Downloads/Example.pkg"

Omit --output to write JSON or text to standard output. The app interface can also export PDF and PNG image reports for records and support notes.

Scan filtering

By default the CLI runs every available scan. You can discover test keys and ask for a smaller set when you need faster automation.

'/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --list-tests

'/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --list-tests --json

'/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --export json --target "/Applications/Example.app" --tests signature,notarization,privacyAccesses

The special value all requests every scan. Identity is always included, and App Trust Preview adds required dependency scans automatically.

Allowed paths

Open App Trust Preview Settings and choose Allowed Paths before using automation outside the default app folders. Add folders where targets may live with read access. /Applications already has read-only access.

• Add ~/Downloads if downloaded apps, installers, disk images, binaries, or scripts are stored there.
• Add ~/Applications if you keep per-user apps there.
• Add a report output folder with read and write access if automation should save files there.

If a target or output path cannot be reached, the CLI prints guidance that points back to the same Settings pane.

Use with AI agents

App Trust Preview can give an AI agent local evidence without uploading inspected software to a third party. The most reliable workflow is to make the agent learn the current CLI from --help, then read report output from standard output instead of guessing export flags.

1. Open Settings in App Trust Preview and choose Allowed Paths.
2. Keep /Applications for installed apps. It is already available as read only.
3. Add ~/Downloads or ~/Applications with read access when those folders contain targets.
4. Add a report folder with read and write access only when the agent should save files there.
5. Tell the agent to run '/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --help and read the help text from stdout before choosing options.
6. Ask the agent to inspect specific targets and read the report from stdout. Tell the agent not to use the --json argument because it can push the CLI toward an export path that needs write permission.
7. If you do want saved JSON or text files, give the agent an explicit writable output folder and tell it to use the documented export option from --help.

Run '/Applications/App Trust Preview.app/Contents/MacOS/App Trust Preview' --help first and read stdout.
Use only the options documented there.
Prefer report output on stdout.
Do not use --json for report export.
Do not write report files unless I provide an output folder with write access.

A useful AI prompt is to ask for identity, signing, notarization, sandboxing, privacy requests, saved permission decisions, package contents, helper safety, network access, and unusual technical indicators for every target in a folder.