Quick Start

This guide gets you from installation to your first scan in a few minutes. If you haven't installed scd yet, start with the Installation guide.

Your first scan

# Go to any project you work on
cd /path/to/your/project

# Register the project and run a scan
scd init
scd scan

scd init registers the project in ~/.scd/repos/ — nothing is written to your repository. You only need to run this once per project.

scd scan runs a full security scan and prints a summary to the terminal:

✔ Scan complete  [s-a3f9b2c1]  43 files  1.2s

  CRITICAL   2
  HIGH       5
  MEDIUM    11
  LOW        3

  Top rules:
    JS-INJ-001  SQL Injection via string concat      ×3  (CRITICAL)
    SEC-001     Hardcoded secret or API key          ×2  (CRITICAL)
    JS-XSS-002  Reflected XSS — res.send(req.*)     ×4  (HIGH)

  Most affected:
    src/routes/users.js    4 findings
    src/db/queries.js      3 findings

Explore findings

# List open findings with their IDs
scd findings

# See full detail for a specific finding
scd findings f-a1b2c3d4

# Show all findings with problem description and fix guidance
scd findings --verbose

Generate a report

# Generate an HTML report from the last scan
scd report

# Open the report in your browser
scd report --open          # macOS / Windows
scd report --serve         # Linux / Firefox (starts a local HTTP server)

Reports include fix guidance for every finding.

Handle a finding

When a finding is a false positive or an accepted risk, you can create an exception:

# Accept a risk (pending team-lead approval if connected to scd-server)
scd accept f-a1b2c3d4 --reason "Input validated upstream, parameterized internally"

# Mark as false positive
scd ignore f-a1b2c3d4 --reason "Source maps intentionally included in staging" --tag false_positive

Exceptions are stored in ~/.scd/repos/{repoId}/config.yml — never as code comments.

Git hooks

Once you have run scd install, git hooks run automatically:

pre-commit — fast secrets scan. Blocks the commit if secrets are found.
pre-push — full OWASP scan. Blocks the push if CRITICAL or HIGH findings are found (configurable).

You don't need to do anything — just work normally. scd runs in the background.

Connect to scd-server (Team / Professional)

If your organisation runs scd-server, connect the CLI:

scd configure --central-url http://your-server:3000
scd configure --token <api-token-from-scd-server-admin>
scd doctor    # verify connection

Once connected, scans are pushed to the team dashboard automatically, and you can sync exception approvals:

scd sync

See scd-server overview for more.

Next steps

CLI reference — all commands and options
Configuration — per-repo scan settings
scd-server — team dashboard, exception approval, compliance reports

Your first scan​

Explore findings​

Generate a report​

Handle a finding​

Git hooks​

Connect to scd-server (Team / Professional)​

Next steps​