← All guides

Guide · 3 min

Scan from the terminal

Run XploitScan locally without uploading any code. The CLI is the same engine the web scanner uses, just running on your own machine. Best for developers and anyone working in a terminal already.

1

Run the CLI with npx

You don't need to install anything globally. npx downloads and runs the latest version on demand. Make sure you have Node 18 or later.

bash
npx xploitscan scan .

Run this from inside the folder you want to scan. The first run downloads the CLI; subsequent runs are instant.

2

Read the output

You should see something like this in your terminal:

  xploitscan v1.2.2 — security scan results
  ────────────────────────────────────────
  Found 13 issues:  7 CRITICAL  | 3 high | 1 medium | 2 low
  Scanned 47 files in 2.3s

  CRITICAL  [VC005]  Unprotected Stripe Webhook
    server.js:39
    Attackers can fake payment events and mark
    orders as paid without actually paying.
    Fix: Use stripe.webhooks.constructEvent()

Each finding has a severity, a rule ID (VC###), the file:line, what an attacker can do, and a one-line fix.

3

Connect your account (optional)

Without signing in, scans run locally with the 30 free rules. Signing in connects your plan — paid plans scan with all 210+ rules, and your scan history syncs to your dashboard:

bash
npx xploitscan auth login

Opens a browser tab to complete the OAuth flow. Tokens are stored in your home directory.

4

Block bad commits (recommended)

Install a git pre-commit hook so XploitScan runs automatically before every commit. The commit aborts if it finds critical issues.

bash
npx xploitscan hook install

Safe to run on a repo with an existing pre-commit hook — XploitScan appends itself between markers and won't overwrite your existing checks. Uninstall any time with npx xploitscan hook uninstall.

5

Useful flags

A few flags that come up a lot:

bash
npx xploitscan scan ./src --format json > scan.json
bash
npx xploitscan scan . --format sarif > xploitscan.sarif
bash
npx xploitscan scan . --diff main
bash
npx xploitscan scan . --no-ai

JSON for piping into custom tools, SARIF for the GitHub Security tab,--diff to scan only files changed vs a base branch,--no-ai to skip the AI explanation pass for faster output.

Troubleshooting

  • “Command not found: npx”

    You don't have Node installed. Install Node 18 or later from nodejs.org.

  • “Exit code 1”

    This is intentional — the CLI exits 1 when it finds critical or high-severity issues so CI pipelines can gate on them. It is not an error. Medium and below never change the exit code.

  • “Scan returns 0 findings” on a project you know has issues

    Make sure you're scanning the source folder, not a build output. Try npx xploitscan scan ./src explicitly.

Now wire it into your CI so every PR gets scanned automatically.

Next: Add the GitHub Action →
Guide: Scan from the terminal (CLI) — XploitScan