scan secrets
Scan modules for security vulnerabilities using industry-standard tools.
If no modules specified, scans all modules in the repository.
If no --scanner specified, uses default scanners for each module type (configured in contracts/scanner/0.1.0/schemas/defaults/).
Supported scanners:
- sbom: Software Bill of Materials (Trivy, CycloneDX format)
- vuln: Vulnerability scanning (Trivy)
- secrets: Secrets detection (Trivy)
- iac: Infrastructure as Code scanning (Trivy)
- compliance: CIS compliance checking (Trivy)
- sast: Static Application Security Testing (Semgrep)
- zap: Dynamic Application Security Testing (OWASP ZAP)
Example: scan # All modules, default scanners scan core # Single module, default scanners scan --scanner sbom # All modules, SBOM only scan core --scanner sbom,vuln # Single module, specific scanners
Evidence output: out/scan/<module>/<scanner>/
Usage: scan [flags] <modules>
| Argument | Description |
|---|---|
modules |
| Flag | Description |
|---|---|
--scanner <string> (optional) |
Scanner types to run (comma-separated: sbom,vuln,secrets,iac,compliance,sast,zap) |
-d, --debug (optional, default: false) |
Enable debug logging to out/logs/security |
--tui (optional, default: auto) |
Enable TUI console (default: auto-detect) |
--no-tui (optional, default: false) |
Disable TUI console |
--tui-height <int> (optional, default: 8) |
Set TUI console height (3-20) |
--ascii (optional, default: false) |
Use ASCII-only characters in TUI |
--skip-tui-delay (optional, default: false) |
Skip TUI exit delay (exit immediately when done) |
--sequential (optional, default: false) |
Run scans sequentially instead of in parallel |
--turbo (optional, default: false) |
Enable turbo mode for faster scanning (increases parallelism) |
--skip-cache (optional, default: false) |
Skip incremental cache, force full scan |
--skip-deps (optional, default: false) |
Skip system dependency verification (trivy, semgrep, etc.) |
See Also
- scan
- scan sast - Static Application Security Testing
- show scan-summary
Tutorials | How-to Guides | Explanation | Reference
You are here: Reference — information-oriented technical descriptions of the system.