Using Code Security CLI
Code Security is a CLI-driven toolchain.
To test Code Security
Run:
$HOME/.spectral/spectral runTo use Code Security to scan your environment
Run:
$HOME/.spectral/spectral scanCommands
| Command | Description |
|---|---|
run
|
Run a scan interactively for exploring or auditing. |
scan
|
Run a scan from your CI/CD pipeline. |
init
|
Initialize configuration in your repo. This is how you customize ignores, detectors, and more. Once your run the init command, an hidden spectral folder is created and you can customize your configuration. |
fingerprint
|
Encode a one-way fingerprint from a secret, for ignoring content. |
github
|
Audit a GitHub organization, user, or repo. |
gitlab
|
Audit a GitLab organization, group, user, or repo. |
history
|
Run a Code Security git history scan. This flag enables you to scan the Git history and make sure there are no issues in the historical Git commits. Note - Issues found only show locally and are not included in the dashboard and UI (this is to prevent overhead). |
|
|
Manage custom rules. |
Environment Variables
| Command | Description |
|---|---|
SPECTRAL_DSN=<DSN>
|
Your private Code Security DSN, which connects to your account. |
SPECTRAL_SHOW_MATCH=1
|
Show secrets in scan output (off by default). |
Common Flags
| Command | Description |
|---|---|
-t, --token
|
Supply a token for GitHub, GitLab, or other for auditing. |
-h, --host
|
Supply a git host (where relevant. For example, GitLab) |
-d, --dest
|
Destination for git repos in case of auditing. |
-k, --kind
|
Type of audit. For example, group, user, or org. |
|
|
Engines to run in the current scan. Options: |
--include-tags base, audit
|
Include additional ML-based detectors for full security coverage (more tags details: `spectral info --tags`). |
--include-tags iac
|
Include IaC (Infrastructure as Code) security coverage (more tags details: `spectral info --tags`). |
|
|
Scan only for specific detectors. |
|
|
Exclude specific detectors from results. You can combine: |
--unstaged
|
Scan with pre-commit and pre-receive hooks and send data to Code Security. |
-f, --fail-on-error
|
Fail with non-zero exit code just on error severity matches. |
|
|
Fail with non-zero exit code only when Code Security detects High and Critical severity matches. |
scan
|
Run a scan from your CI/CD pipeline. |
init
|
Initialize configuration in your repo. |
fingerprint
|
Encode a one-way fingerprint from a secret, for ignoring content. |
github
|
Audit a GitHub organization, user, or repo. |
gitlab
|
Audit a GitLab organization, group, user, or repo. |
gitlab -k all-groups
|
Scan all GitLab groups. |
Help
You can use the --help option for the main binary, or use a sub command, for example $HOME/.spectral/spectral run --help for the supported commands and flags.
spectral --help
Spectral Scan 1.8.37
Spectral Cyber Technologies Inc.
USAGE:
spectral [FLAGS] [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
--nobanners No help/free text banners. Make it easier to parse output
-V, --version Prints version information
SUBCOMMANDS:
config Your local SPECTRAL_DSN config
fingerprint Fingerprint sensitive information for ignores
github Run a Spectral scan on a github organization, user, or team. Alias: 'git'.
gitlab Run a Spectral scan on a Gitlab organization, user, or team
help Prints this message or the help of the given subcommand(s)
history Run a Spectral git history scan
info Spectral information
init Initialize Spectral configuration for a current project. (Must be in the project root)
local Run a Spectral audit on local assets
login Log into your Spectral account
logout
logs Run a Spectral logs scan
register Register for your own Spectral account
run Run a Spectral scan interactively
s3 Run a Spectral AWS S3 scan
scan Run a Spectral scan in your CI pipeline
version