scan source

Scans a local directory or remote Git repository for cryptographic vulnerabilities using SAST (static pattern detection) and SCA (dependency analysis).

Usage

qtz-discovery-cli scan source <path-or-url> [flags]
# Examples
qtz-discovery-cli scan source ./my-repo
qtz-discovery-cli scan source https://github.com/org/repo.git --branch develop
qtz-discovery-cli scan source ./my-repo --format dashboard --show-score
qtz-discovery-cli scan source ./my-repo --format csv --output findings.csv
qtz-discovery-cli scan source ./my-repo --fail-on critical
qtz-discovery-cli scan source ./my-repo --ignore RSA-001,HASH-001
qtz-discovery-cli scan source ./my-repo --baseline baseline.json
qtz-discovery-cli scan source ./my-repo --git-history --since 30d
qtz-discovery-cli scan source ./my-repo --llm --llm-quality deep

Flags

Source targeting

FlagDefaultDescription
--branchmainGit branch to scan
--commitPin to specific commit SHA
--depth0Shallow clone depth (0 = full history)
--tokenGit access token for private repos (QTZ_GIT_TOKEN)
--excludeGlob patterns to exclude (e.g. vendor/**)
--git-historyfalseScan git commit history for past crypto patterns
--since90dGit history time window (e.g. 30d, 2024-01-01)

Scan control

FlagDefaultDescription
--sasttrueEnable SAST (static pattern detection)
--scatrueEnable SCA (dependency analysis)
--ecosystemallSCA ecosystem filter: go|npm|python|maven|cargo|ruby|php|nuget|dart|elixir|swift|scala|clojure|haskell|r|erlang|perl|ocaml|nim|all
--sca-crypto-onlyfalseRestrict SCA output to crypto-relevant dependencies only (default: all deps included)
--sca-depth0Max transitive dependency resolution depth (0 = ecosystem default)
--sca-direct-onlyfalseOnly report directly declared dependencies; skip transitive
--sca-no-fetchfalseDisable network fetching from package registries (Maven Central, etc.)
--sca-no-cmdfalseDisable subprocess invocation for dependency resolution (mvn, gradle, etc.)
--sca-no-licensefalseDisable registry license enrichment (Maven Central, PyPI, crates.io, rubygems.org)

Repository cache

FlagDefaultDescription
--no-repo-cachefalseDisable clone cache; always re-clone remote repos into a temp dir
--repo-cache-ttl24hHow long a cached clone stays fresh before a git pull is triggered (e.g. 1h, 72h, 0 = always refresh)

Filtering & severity

FlagDefaultDescription
--min-severityinfoFilter findings below: critical|high|medium|low|info
--ignoreSuppress specific pattern IDs (e.g. RSA-001,HASH-001)
--ignore-categorySuppress entire categories (e.g. Asymmetric,Hash)
--fail-onExit 2 if findings at or above severity: critical|high|medium|low|info

Baseline comparison

FlagDefaultDescription
--baselineJSON file of previous findings — only report new findings
--update-baselinefalseOverwrite baseline file with current findings

Portal upload

FlagEnv varDefaultDescription
--source-idQTZ_SOURCE_IDSource UUID. Omit to auto-create a new source; provide to append scan results to an existing source.

AI analysis (requires portal connection)

FlagDefaultDescription
--llmfalseEnable AI-driven deep analysis (requires --server)
--llm-qualityautoAnalysis depth: auto|fast|deep|chain
--llm-max-files50Max source files sent to AI per scan (0 = unlimited)
--llm-batch-size10File chunks per AI server request
--llm-chunk-window300Lines per chunk for large-file splitting
--llm-chunk-overlap50Overlap lines between adjacent chunks (0 = none)
--scan-budgetMax USD for AI analysis (e.g. 2.50; 0 = unlimited)
--dry-runfalseCount candidate files without running AI analysis (requires --llm)
--resumefalseResume an interrupted AI scan
--checkpoint-fileExplicit checkpoint file path (default: auto-computed)

Reporting

FlagDefaultDescription
--show-scorefalsePrint transition readiness score (0–100)

Exit Codes

CodeMeaning
0Success
1General error (bad config, auth failure, I/O error, etc.)
2Scan completed but --fail-on threshold was exceeded

CI/CD Example

- name: Crypto scan
  run: |
    qtz-discovery-cli scan source . \
      --fail-on critical \
      --format sarif \
      --output results.sarif

See CI/CD Integration for a complete GitHub Actions workflow.