Scan your code locally and integrate with CI/CD pipelines.
Or use npx for one-off scans without installing: npx @scault/cli scan
npx @scault/cli scanScan the current directory--types sast,sca,secretsSelect scan types--platforms linux,macosSelect target platforms--severity highOnly show findings at or above severity--output jsonOutput format (json, table, sarif)--ciCI mode — non-zero exit on findingsnpx @scault/cli auth loginAuthenticate with your Scault account (opens browser)--token sk_live_xxxUse API key instead of browser authnpx @scault/cli initCreate a .scault.yml config file in current directorynpx @scault/cli diffCompare current state with last scan (show new/fixed findings)--baseline scan-123Compare against specific scannpx @scault/cli hook installInstall git pre-commit hook for secret detection--types secretsOnly run secret detection in hook# .github/workflows/security.yml
name: Scault Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Scault Scan
run: npx @scault/cli scan --ci --types sast,sca,secrets
env:
SCAULT_API_KEY: ${{ secrets.SCAULT_API_KEY }}# .gitlab-ci.yml
security_scan:
image: node:20
script:
- npx @scault/cli scan --ci --types sast,sca,secrets
variables:
SCAULT_API_KEY: $SCAULT_API_KEY
only:
- merge_requests
- main# .scault.yml — project configuration
project: my-awesome-app
platforms:
- linux
- macos
scan_types:
- sast
- sca
- secrets
- iac
severity_threshold: medium # fail CI if any finding >= medium
ignore:
- "node_modules/**"
- "dist/**"
- "**/*.test.ts"
rules:
suppress:
- id: "hardcoded-password"
reason: "Test fixture, not real credentials"
files: ["**/*.test.ts"]--output table
Human-readable table (default)
--output json
Machine-readable JSON
--output sarif
SARIF format for GitHub Code Scanning