CLI Reference
Complete reference for all scd commands.
Scanning
| Command | Description |
|---|---|
scd scan | Full security scan — vendor and .gitignored files excluded by default |
scd scan --verbose | Full file-grouped + rule-grouped output |
scd scan --deep | Deep AI-powered analysis via scd-server (Premium) |
scd scan --include-vendor | Include vendor/dependency code |
scd scan --vendor-only | Scan only vendor/dependency code (supply chain) |
scd scan --include-ignored | Scan files excluded by .gitignore |
scd scan --no-sync | Skip pushing this scan to scd-server (Premium) |
scd scan --no-audit | Skip audit logging for this scan |
Reports
| Command | Description |
|---|---|
scd report | Generate HTML report from last scan |
scd report --open | Generate and open in browser (macOS / Windows) |
scd report --serve | Serve report via local HTTP server (Linux / Firefox) |
scd report --serve --index | Always show report index page |
scd report --scan <id> | Generate report from a specific saved scan |
scd export-findings | Export all findings from a scan to JSON |
scd export-findings --deep-only | Export only findings with a deep analysis result |
scd export-findings --severity critical | Filter by severity |
scd export-findings --scan <id> | Export from a specific saved scan |
Findings
| Command | Description |
|---|---|
scd findings | List open findings from last scan |
scd findings <finding-id> | Show a specific finding with full detail |
scd findings --verbose | All open findings with problem, scenario, and fix |
scd findings --all | All findings including excepted and resolved |
scd findings --excepted | Only excepted findings |
scd findings --severity critical | Filter by severity |
scd findings --rule <id> | Filter by rule ID |
scd findings --scan <id> | Load a specific historic scan |
Exception management
Exceptions are managed by finding ID — shown in scan output, reports, and scd findings. Never edit source code comments.
| Command | Description |
|---|---|
scd accept <finding-id> --reason <text> | Accept finding as acceptable risk |
scd accept <finding-id> --tag <text> | Optional tag, e.g. false_positive, out_of_scope |
scd ignore <finding-id> --reason <text> | Ignore a finding |
scd sync | Pull approved/rejected exceptions from scd-server (Premium) |
scd exceptions | List all local exceptions |
scd exceptions --list rejected | List only rejected exceptions |
scd exceptions --list pending|approved|all | Filter by status |
scd resolve --rejected <id> | Remove a rejected exception after fixing the issue |
scd resolve --rule <id> --file <path> --line <n> | Mark an EXPOSURE finding as handled |
Exception workflow
# View open findings with their IDs
scd findings
# Accept a risk
scd accept f-a1b2c3d4 --reason "Parameterized internally, validated input only"
# Pull approvals/rejections from team server
scd sync
# List exceptions and their status
scd exceptions --list all
# Remove a rejected exception after fixing the issue
scd resolve --rejected exc-mn7k96ml
After scd sync, the next scan shows pending status inline:
ℹ 2 exception(s) pending approval – run scd sync to refresh
⚠ 1 rejected exception(s) — fix required:
PHP-INJ-002 WS_addUser.php:10 [exc-mn7k96ml]
Exceptions include a hash of the relevant code line. If the code changes, the exception requires re-approval automatically.
History and navigation
| Command | Description |
|---|---|
scd audit | View scan history and audit trail |
scd insights | Analyze behavioral patterns from audit log |
scd rules | List all 174 security rules |
scd rules --lang php | Filter rules by language |
scd rules --id INFRA-001 | Show full detail for a rule |
scd rules --search "injection" | Free-text search across rules |
scd rules --stats | Rule counts by severity and language |
scd list | List all repos registered in store |
scd repo | Show store info for current repo |
scd repo --show | Full metadata for current repo |
scd repo --scans | List all saved scans |
scd repo --verify | Verify all repos exist on disk |
scd repo --verify --clean | Interactive cleanup of missing/stale repos |
scd remove | Remove current repo from store |
Setup and configuration
| Command | Description |
|---|---|
scd install | Install git hooks globally (once per machine) |
scd uninstall | Remove git hooks and global git config |
scd init | Register current project (once per project) |
scd doctor | Verify setup, connection, and push queue status |
scd configure --central-url <url> | Set scd-server URL |
scd configure --token <token> | Set API token |
scd configure --server-timeout <duration> | Regular API call timeout (default: 30s) |
scd configure --deep-timeout <duration> | Deep analysis timeout (default: 20m) |
scd verify | Verify CLI release integrity signature |
Per-repo configuration
| Command | Description |
|---|---|
scd repo configure | Show config with source (repo/global/default) |
scd repo configure --scan-mode fast|full | Set scan mode |
scd repo configure --trust-level <value> | Set trust level |
scd repo configure --block-on-high <bool> | Set blocking behaviour for HIGH findings |
Trust levels
| Value | Behaviour |
|---|---|
maximum_privacy | No external API calls. Local model only. Strongest privacy guarantee. |
balanced | Default. Local model preferred; cloud available as explicit opt-in. |
maximum_analysis | Cloud provider (Claude API). Maximum analysis depth. |
Set with:
scd repo configure --trust-level maximum_privacy
Scan IDs and finding IDs
Every scan gets a unique ID (s-a3f9b2c1) shown in terminal output. Every finding gets a stable ID (f-a1b2c3d4). Use these IDs directly with scd accept, scd ignore, scd findings, and scd report --scan.
IDs are random, not time-based — no timezone issues when working across machines.