← All guides

Guide · 3 min

Scan from the terminal

Run XploitScan locally without uploading any code. The CLI is the same engine the web scanner uses, just running on your own machine. Best for developers and anyone working in a terminal already.

1

Run the CLI with npx

You don't need to install anything globally. npx downloads and runs the latest version on demand. Make sure you have Node 18 or later.

bash
npx xploitscan scan .

Run this from inside the folder you want to scan. The first run downloads the CLI; subsequent runs are instant.

2

Read the output

You should see something like this in your terminal:

  xploitscan v1.0.4 — security scan results
  ────────────────────────────────────────
  Found 13 issues:  7 CRITICAL  | 3 high | 1 medium | 2 low
  Scanned 47 files in 2.3s

  CRITICAL  [VC005]  Unprotected Stripe Webhook
    server.js:39
    Attackers can fake payment events and mark
    orders as paid without actually paying.
    Fix: Use stripe.webhooks.constructEvent()

Each finding has a severity, a rule ID (VC###), the file:line, what an attacker can do, and a one-line fix.

3

Sign in for unlimited scans (optional)

Without signing in, you get the free 30-rule set and 5 scans per day. Run this once to authenticate and unlock all 131 rules:

bash
npx xploitscan auth login

Opens a browser tab to complete the OAuth flow. Tokens are stored in your home directory.

4

Block bad commits (recommended)

Install a git pre-commit hook so XploitScan runs automatically before every commit. The commit aborts if it finds critical issues.

bash
npx xploitscan hook install

Safe to run on a repo with an existing pre-commit hook — XploitScan appends itself between markers and won't overwrite your existing checks. Uninstall any time with npx xploitscan hook uninstall.

5

Useful flags

A few flags that come up a lot:

bash
npx xploitscan scan ./src --format json > scan.json
bash
npx xploitscan scan . --format sarif > xploitscan.sarif
bash
npx xploitscan scan . --sbom > sbom.json
bash
npx xploitscan scan . --no-ai

JSON for piping into custom tools, SARIF for the GitHub Security tab, SBOM for compliance reports,--no-ai to skip the AI explanation pass for faster output.

Troubleshooting

  • “Command not found: npx”

    You don't have Node installed. Install Node 18 or later from nodejs.org.

  • “Exit code 1”

    This is intentional — the CLI exits 1 when it finds any issues so CI pipelines can detect them. It is not an error.

  • “Scan returns 0 findings” on a project you know has issues

    Make sure you're scanning the source folder, not a build output. Try npx xploitscan scan ./src explicitly.

Now wire it into your CI so every PR gets scanned automatically.

Next: Add the GitHub Action →