SecurityChecks

CLI Commands

Complete reference for all SecurityChecks CLI commands.

CLI Commands

Note: The CLI is currently in private beta. For most users, we recommend the GitHub App for zero-config security checks.

The SecurityChecks CLI provides commands for scanning, configuration, and CI/CD integration.

Requirements

  • Node.js 18 or later
  • API key from the dashboard
  • SECURITYCHECKS_CLI_ENABLED=1 environment variable (private beta gate)

Installation

npm install -g @securitychecks/cli

Or use npx:

npx -y -p @securitychecks/cli scheck run

Commands

scheck init

Initialize SecurityChecks configuration in your project.

scheck init [options]

Options:

OptionDescription
--path, -pTarget path (default: current directory)
--hooksInstall git pre-commit hook

Creates:

  • .scheck/config.yaml — Project configuration
  • .scheck/baseline.json — Known issues baseline
  • .github/workflows/scheck.yml — GitHub Action workflow

scheck run

Run a security scan on your project.

scheck run [options]

Options:

OptionDescriptionDefault
--path, -pPath to scanCurrent directory
--changedOnly check changed files (requires git)false
--ciCI mode — fail on new violationsfalse
--allShow all findings including P2false
--jsonOutput as JSONfalse
--sarif <path>Write SARIF report for GitHub Code Scanning
--quietSuppress output except errorsfalse
-v, --verboseEnable verbose outputfalse

Examples:

# Basic scan
scheck run

# Scan only changed files
scheck run --changed

# CI mode (fail on new violations)
scheck run --ci

# Output JSON for processing
scheck run --json > results.json

# Generate SARIF for GitHub Security tab
scheck run --sarif report.sarif

scheck explain

Get detailed explanation for an invariant.

scheck explain <invariant-id>

Examples:

scheck explain AUTHZ.SERVICE_LAYER.ENFORCED
scheck explain WEBHOOK.IDEMPOTENT

scheck login

Authenticate with SecurityChecks cloud.

scheck login [options]

Options:

OptionDescription
--api-key, -kAPI key (or set SECURITYCHECKS_API_KEY)
--checkCheck current login status

scheck baseline

Manage the baseline of known issues.

scheck baseline [options]

Options:

OptionDescription
--updateUpdate baseline with current findings
--showShow current baseline
--pruneRemove stale entries not seen recently
--prune-days <days>Days before considering stale (default: 90)
-y, --yesSkip confirmation prompt

scheck waive

Temporarily waive a finding.

scheck waive <findingId> [options]

Options:

OptionDescription
-r, --reason <reason>Reason for waiving (required)
--reason-key <key>Structured reason key: false_positive, acceptable_risk, will_fix_later, not_applicable, other
-e, --expires <duration>Expiration (e.g., 7d, 30d, 90d)
-o, --owner <owner>Owner/contact for this waiver

scheck hooks

Manage git pre-commit hooks.

scheck hooks [options]

Options:

OptionDescription
--installInstall pre-commit hook
--uninstallUninstall pre-commit hook
--showShow current hook status

Exit Codes

CodeMeaning
0Success, no findings at or above fail level
1Findings found at or above fail level
2Configuration or authentication error

Environment Variables

VariableDescription
SECURITYCHECKS_API_KEYAPI key for authentication
SECURITYCHECKS_CLI_ENABLEDSet to 1 for beta access
CIAuto-detected in CI environments

Configuration File

Configuration is stored in .scheck/config.yaml:

version: "1.0"

# Paths to scan
include:
  - "src/**/*.ts"
  - "src/**/*.tsx"

# Paths to exclude
exclude:
  - "**/node_modules/**"
  - "**/dist/**"
  - "**/*.test.ts"

# Service file patterns (where auth should be enforced)
servicePatterns:
  - "**/services/**/*.ts"
  - "**/lib/**/*.ts"

# Test file patterns
testPatterns:
  - "**/*.test.ts"
  - "**/*.spec.ts"

# Disable specific invariants
# disabledInvariants:
#   - "TESTS.NO_FALSE_CONFIDENCE"

Request CLI Access

The CLI is available for:

  • Enterprise customers with on-premise requirements
  • Approved beta testers

Contact sales@securitychecks.ai for access.

API AuthenticationIntroduction