Installation

scd is available on npm and GitHub.

Requirements

Node.js 22 or later
Git
npm (included with Node.js)

Windows: Windows 10 (build 1803) or later. Git for Windows must be installed (not WSL). Windows Terminal or PowerShell recommended — cmd.exe has limited colour support.

1. Install Node.js

If you already have Node.js 22 or later installed, skip this step.

macOS

The recommended approach is nvm (Node Version Manager):

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# Restart your terminal, then:
nvm install 22
nvm use 22
node --version   # should show v22.x.x

Alternatively, download the installer directly from nodejs.org.

Linux

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# Restart your terminal, then:
nvm install 22
nvm use 22
node --version

Or use your distribution's package manager — but verify the version is 22 or later. Many distros ship an older Node.js by default.

Windows

Download and run the Node.js 22 LTS installer from nodejs.org. The installer includes npm.

Verify in PowerShell or Command Prompt:

node --version   # should show v22.x.x
npm --version

PowerShell execution policy

If npm scripts fail with a policy error, run this once in an elevated PowerShell window:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

2. Install scd

npm install -g @activemind/scd
scd --version   # verify

Package page: npmjs.com/package/@activemind/scd

Development install

If you have cloned the repository and want to run from source:

cd scd
npm install
npm link

To remove the dev link: npm unlink -g @activemind/scd

3. Install git hooks

scd uses git hooks to scan your code automatically — secrets scanning before commits, full OWASP scan before pushes. The hooks are installed globally on your machine, so every git repository you work in is protected automatically.

scd install

Run this once per machine. It sets up the hooks in ~/.scd/hooks/ and configures git to use them globally.

Verify the setup:

scd doctor

To remove the hooks from a machine:

scd uninstall

This removes the global hooks and the git configuration, but preserves your scan history and exceptions in ~/.scd/.

4. Register a project

Once the hooks are installed, register each project you want to work with:

cd /path/to/your/project
scd init
scd scan     # run your first scan

scd init creates a per-project config in ~/.scd/repos/ — nothing is written to your repository.

`scd install` vs `scd init`

	`scd install`	`scd init`
Scope	Machine-wide	Per project
Run	Once per machine	Once per project
What it does	Installs git hooks for all repos	Registers the project, creates config
Touches the repo	No	No

scd install is the global step — without it, hooks do not run. scd init is the per-project step. scd doctor will tell you clearly if either step has been missed.

Where scd stores data

All scan history, configuration, and reports are stored outside your repositories:

~/.scd/                          # macOS / Linux
%USERPROFILE%\.scd\              # Windows

  config                         ← central URL, token, timeouts, global defaults
  scope.yml                      ← global scope exclusions (all repos)
  repos/
    {repoId}/
      meta.json                  ← repo identity, last scan, timestamps
      config.yml                 ← per-repo settings, exceptions, rule configuration
      scope.yml                  ← per-repo scope exclusions
      scope-server.yml           ← server-managed scope (read-only)
      audit.log                  ← full scan history (append-only)
      last-scan.json             ← latest scan cache
      scans/                     ← one JSON per scan (never overwritten)
      reports/                   ← generated HTML/MD/JSON reports
      exports/                   ← exported JSON from scd export-findings

Uninstalling scd does not remove store data — your scan history is preserved.

Connect to scd-server (Team)

If your organisation runs scd-server, connect the CLI:

scd configure --central-url http://your-server:3000
scd configure --token <your-personal-token>
scd doctor    # verify connection

Your admin creates your user account in Admin → Users on scd-server. The personal token is shown once at creation — store it securely. If you lose it, ask your admin to regenerate it.

Then run a scan to activate your installation on the server:

scd scan

Troubleshooting

Having problems? See the Troubleshooting page — the installation section there covers scd not found, PATH issues, and Node.js version conflicts.

Verifying releases

Every release is signed with minisign — a simple, auditable tool for verifying that a file has not been tampered with. minisign is available for macOS, Linux, and Windows.

To verify a release independently of npm and GitHub, using Activemind's own distribution server as a third source:

# Download checksums and signature (replace VERSION with the version you installed, e.g. v1.4.0)
curl -O https://dist.securecodebydesign.com/scd/VERSION/checksums.txt
curl -O https://dist.securecodebydesign.com/scd/VERSION/checksums.txt.minisig

# Download the public key
curl -O https://dist.securecodebydesign.com/scd/minisign.pub

# Verify
minisign -Vm checksums.txt -p minisign.pub

The checksums file contains SHA-256 and SHA-512 hashes of the npm package tarball. The public key is also committed to the repository root as minisign.pub — cross-reference both sources for the strongest guarantee.

What version am I running?

scd version

Requirements​

1. Install Node.js​

2. Install scd​

3. Install git hooks​

4. Register a project​

scd install vs scd init​

Where scd stores data​

Connect to scd-server (Team)​

Troubleshooting​

Verifying releases​