scan
Scan a directory or file for security vulnerabilities. This is the primary command you'll use with Oculum.
oculum scan [path] [options]
Path: Directory or file to scan. Defaults to current directory (.).
Options
| Flag | Description | Default |
|---|---|---|
-d, --depth <depth> | Scan depth: cheap, validated, deep | cheap |
-f, --format <format> | Output format: terminal, json, sarif, markdown | terminal |
--fail-on <severity> | Exit code 1 if findings at severity: critical, high, medium, low, none | none |
-o, --output <file> | Write output to file instead of stdout | - |
-i, --ignore <pattern> | Ignore pattern (can be used multiple times) | - |
--incremental | Only scan files changed since last commit (requires git) | false |
--diff <ref> | Compare against a specific branch or commit | - |
-p, --profile <name> | Use a named profile from your config file | - |
-q, --quiet | Minimal output (useful for CI) | false |
-v, --verbose | Debug output with detailed information | false |
--no-color | Disable colored output | false |
Scan Depths
Choose the right depth for your use case:
| Depth | Description | Speed | AI | Best For |
|---|---|---|---|---|
cheap | Pattern matching only | ~1000 files/sec | No | Quick PR checks, local dev |
validated | AI validates findings (~70% fewer false positives) | ~30s/300 files | Validation | Interactive development |
deep | Full semantic analysis with taint tracking | ~60s/300 files | Full | Security audits, onboarding |
Note: validated and deep require authentication. See Scan Depths for full details.
Output Formats
terminal (default)
Human-readable colored output with severity indicators:
Found 3 issues:
CRITICAL: Hardcoded API Key
src/lib/openai.ts:12
API key exposed in source code
Use environment variables instead
HIGH: Unvalidated User Input to LLM
src/api/chat.ts:45
User input passed directly to prompt
Sanitize or validate user input before use
json
Machine-readable JSON for integrations:
{
"scanId": "scan_abc123",
"repoName": "my-app",
"filesScanned": 47,
"findings": [
{
"id": "finding_xyz",
"category": "hardcoded_secret",
"severity": "high",
"message": "Hardcoded API key detected",
"file": "src/api/chat.ts",
"line": 45,
"column": 12,
"snippet": "const apiKey = 'sk-abc123...'",
"remediation": "Use environment variables"
}
],
"summary": {
"total": 1,
"critical": 0,
"high": 1,
"medium": 0,
"low": 0,
"info": 0
}
}
sarif
GitHub Code Scanning compatible format for the Security tab:
oculum scan -f sarif -o results.sarif
Use with the GitHub Action for automatic SARIF uploads.
markdown
Report-style output for documentation or sharing:
oculum scan -f markdown -o report.md
Examples
Basic Usage
# Scan current directory
oculum scan
# Scan specific directory
oculum scan src/
# Scan a single file
oculum scan src/api/chat.ts
Scan Depths
# Fast pattern matching (default)
oculum scan
# AI-validated scan (fewer false positives)
oculum scan --depth validated
# Full security audit
oculum scan --depth deep
CI/CD Integration
# Fail if high severity issues found
oculum scan --fail-on high
# Quiet mode for cleaner CI logs
oculum scan --fail-on high --quiet
# Generate SARIF for GitHub Security
oculum scan -f sarif -o results.sarif --fail-on high
Incremental Scanning
# Only scan changed files (great for PRs)
oculum scan --incremental
# Compare against main branch
oculum scan --diff main
# Compare against specific commit
oculum scan --diff abc1234
Filtering
# Ignore test files
oculum scan -i "**/*.test.ts" -i "**/*.spec.ts"
# Ignore entire directories
oculum scan -i "legacy/**" -i "vendor/**"
# Use multiple patterns
oculum scan -i "**/__tests__/**" -i "**/*.mock.ts"
Profiles
# Use a named profile from config
oculum scan -p ci
# Profiles override defaults but CLI flags win
oculum scan -p ci --verbose
Exit Codes
| Code | Meaning |
|---|---|
0 | Success - no findings at or above --fail-on threshold |
1 | Failure - findings found at or above --fail-on severity |
130 | User cancelled (Ctrl+C) |
Tips
For Local Development
- Use
cheapdepth for quick feedback during coding - Run
oculum watchfor continuous scanning as you edit
For CI/CD
- Use
--incrementalon PRs to focus on changed code - Use
validateddepth on main branch for accuracy - Always set
--fail-onto enforce quality gates
For Security Audits
- Use
deepdepth for comprehensive analysis - Run on the entire codebase, not just changed files
- Export results with
-f json -o audit.jsonfor records
Related
- watch - Continuous scanning during development
- Configuration - Config files and profiles
- Scan Depths - Understanding scan modes
- GitHub Action - CI/CD integration