CLI Commands
Complete reference for all SecurityChecks CLI commands.
CLI Commands
Note: The CLI is currently in private beta. For most users, we recommend the GitHub App for zero-config security checks.
The SecurityChecks CLI provides commands for scanning, configuration, and CI/CD integration.
Requirements
- Node.js 18 or later
- API key from the dashboard
SECURITYCHECKS_CLI_ENABLED=1environment variable (private beta gate)
Installation
npm install -g @securitychecks/cli
Or use npx:
npx -y -p @securitychecks/cli scheck run
Commands
scheck init
Initialize SecurityChecks configuration in your project.
scheck init [options]
Options:
| Option | Description |
|---|---|
--path, -p | Target path (default: current directory) |
--hooks | Install git pre-commit hook |
Creates:
.scheck/config.yaml— Project configuration.scheck/baseline.json— Known issues baseline.github/workflows/scheck.yml— GitHub Action workflow
scheck run
Run a security scan on your project.
scheck run [options]
Options:
| Option | Description | Default |
|---|---|---|
--path, -p | Path to scan | Current directory |
--changed | Only check changed files (requires git) | false |
--ci | CI mode — fail on new violations | false |
--all | Show all findings including P2 | false |
--json | Output as JSON | false |
--sarif <path> | Write SARIF report for GitHub Code Scanning | — |
--quiet | Suppress output except errors | false |
-v, --verbose | Enable verbose output | false |
Examples:
# Basic scan
scheck run
# Scan only changed files
scheck run --changed
# CI mode (fail on new violations)
scheck run --ci
# Output JSON for processing
scheck run --json > results.json
# Generate SARIF for GitHub Security tab
scheck run --sarif report.sarif
scheck explain
Get detailed explanation for an invariant.
scheck explain <invariant-id>
Examples:
scheck explain AUTHZ.SERVICE_LAYER.ENFORCED
scheck explain WEBHOOK.IDEMPOTENT
scheck login
Authenticate with SecurityChecks cloud.
scheck login [options]
Options:
| Option | Description |
|---|---|
--api-key, -k | API key (or set SECURITYCHECKS_API_KEY) |
--check | Check current login status |
scheck baseline
Manage the baseline of known issues.
scheck baseline [options]
Options:
| Option | Description |
|---|---|
--update | Update baseline with current findings |
--show | Show current baseline |
--prune | Remove stale entries not seen recently |
--prune-days <days> | Days before considering stale (default: 90) |
-y, --yes | Skip confirmation prompt |
scheck waive
Temporarily waive a finding.
scheck waive <findingId> [options]
Options:
| Option | Description |
|---|---|
-r, --reason <reason> | Reason for waiving (required) |
--reason-key <key> | Structured reason key: false_positive, acceptable_risk, will_fix_later, not_applicable, other |
-e, --expires <duration> | Expiration (e.g., 7d, 30d, 90d) |
-o, --owner <owner> | Owner/contact for this waiver |
scheck preflight
Quick deployment readiness check — a curated subset of invariants focused on ship-readiness.
scheck preflight [options]
Options:
| Option | Description | Default |
|---|---|---|
--path, -p | Path to scan | Current directory |
--json | Output as JSON | false |
--quiet | Suppress output (exit code only) | false |
Returns a readiness score (0-100) and pass/fail for each curated check. Score is capped at 49 if any P0 findings exist.
Examples:
# Interactive checklist
scheck preflight
# JSON for CI gates
scheck preflight --json
scheck waiver
View and manage temporary waivers.
scheck waiver [options]
Options:
| Option | Description |
|---|---|
--show | Show all active waivers |
--expiring | Show waivers expiring soon |
--expiring-days <days> | Days to consider "expiring soon" (default: 7) |
--prune | Remove expired waivers |
scheck hooks
Manage git pre-commit hooks.
scheck hooks [options]
Options:
| Option | Description |
|---|---|
--install | Install pre-commit hook |
--uninstall | Uninstall pre-commit hook |
--show | Show current hook status |
scheck feedback
Report whether a finding was a true positive or false positive — helps improve accuracy.
scheck feedback <invariantId> [options]
Options:
| Option | Description |
|---|---|
--verdict <verdict> | tp (true positive) or fp (false positive) |
--reason <reason> | not_applicable, acceptable_risk, wrong_location, outdated_pattern, missing_context |
scheck logout
Log out from SecurityChecks cloud (clear stored credentials).
scheck logout
scheck config
Manage cloud configuration.
scheck config [options]
Options:
| Option | Description |
|---|---|
--show | Show current configuration |
--set <key=value> | Set a configuration value |
--unset <key> | Unset a configuration value |
--clear | Clear all configuration |
--project <slug> | Set default project |
--api-url <url> | Set API URL |
--cloud-enabled | Enable cloud mode |
--no-cloud-enabled | Disable cloud mode |
Exit Codes
| Code | Meaning |
|---|---|
0 | Success, no findings at or above fail level |
1 | Findings found at or above fail level |
2 | Configuration or authentication error |
Environment Variables
| Variable | Description |
|---|---|
SECURITYCHECKS_API_KEY | API key for authentication |
SECURITYCHECKS_CLI_ENABLED | Set to 1 for beta access |
CI | Auto-detected in CI environments |
Configuration File
Configuration is stored in .scheck/config.yaml:
version: "1.0"
# Paths to scan
include:
- "src/**/*.ts"
- "src/**/*.tsx"
# Paths to exclude
exclude:
- "**/node_modules/**"
- "**/dist/**"
- "**/*.test.ts"
# Service file patterns (where auth should be enforced)
servicePatterns:
- "**/services/**/*.ts"
- "**/lib/**/*.ts"
# Test file patterns
testPatterns:
- "**/*.test.ts"
- "**/*.spec.ts"
# Disable specific invariants
# disabledInvariants:
# - "TESTS.NO_FALSE_CONFIDENCE"
Request CLI Access
The CLI is available for:
- Enterprise customers with on-premise requirements
- Approved beta testers
Contact sales@securitychecks.ai for access.