CLI

Security scanning in your terminal.
And your pipeline.

The same scanning engine that powers the web app, available as a CLI. Install globally, scan files and directories, gate your CI/CD — all from the command line.

INSTALL

npm install -g scandar-scan

Get Started View on npm

KEY COMMANDS

Simple commands. Powerful output.

SCAN FILES

# Scan a skill file
scandar scan skill.md

# Scan an MCP server
scandar scan server.ts --type mcp

# Scan an MCP config
scandar scan .mcp.json

# Scan a directory (recursive)
scandar scan ./skills/

OUTPUT FORMATS

# JSON output for scripting
scandar scan skill.md --format json

# SARIF output for GitHub Code Scanning
scandar scan ./skills/ --format sarif > results.sarif

CI/CD GATES

# Fail if trust score below threshold
scandar scan skill.md --threshold 70

# Fail on specific severity levels
scandar scan skill.md --fail-on critical,high

# Combine for strict gating
scandar scan ./src/ --threshold 80 --fail-on critical --format sarif

WATCH MODE

# Watch a directory — re-scan on every change
scandar watch ./skills/

# Watch with threshold
scandar watch ./skills/ --threshold 70 --quiet

AUTHENTICATION

# Layer 2 (LLM analysis) requires auth
scandar auth login      # Store API key
scandar auth status     # Check auth status
scandar auth logout     # Remove stored key

FEATURES

Built for developers and pipelines.

Auto-detection

Scandar detects whether a file is a skill, MCP server, or config automatically. No flags needed.

Offline Layer 1

Pattern-based scanning runs entirely locally. No API calls, no latency, no cost.

CI/CD Gates

Set trust score thresholds and severity filters. Exit code 1 when the gate fails.

SARIF Output

GitHub Code Scanning compatible. Upload SARIF for inline PR annotations on every finding.

Watch Mode

Monitor files for changes and re-scan automatically. Like tsc --watch, but for security.

JSON Output

Machine-readable output for scripting, dashboards, and pipeline integrations.

CI/CD INTEGRATION

Drop into any pipeline.

GITHUB ACTIONS + CODE SCANNING

name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g scandar-scan
      - run: scandar scan ./skills/ --threshold 70 --fail-on critical
      - run: scandar scan ./skills/ --format sarif > results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
        if: always()

GITLAB CI

security-scan:
  image: node:20
  script:
    - npm install -g scandar-scan
    - scandar scan ./skills/ --threshold 70 --fail-on critical
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

ALSO ON SCANDAR

Skill Scanner

Pattern-based and LLM-powered analysis for AI skill files. Detect prompt injection, credential theft, and more.

AI Fix

Select threats and let Claude automatically rewrite your code with threats removed. Review the diff, then download.

Install Scandar CLI

Free to use. Layer 1 runs offline. Full docs at /docs.

npm install -g scandar-scan

ENTERPRISE

Need fleet-wide AI security?

Scandar Overwatch gives you real-time visibility into every agent in your organization — policies, compliance reports, alert routing, and kill chain detection. Self-serve setup in 25 minutes.

Explore Overwatch →