scan source
Scans a local directory or remote Git repository for cryptographic vulnerabilities using
SAST (static pattern detection) and SCA (dependency analysis).
Usage
qtz-discovery-cli scan source <path-or-url> [flags]
# Examples
qtz-discovery-cli scan source ./my-repo
qtz-discovery-cli scan source https://github.com/org/repo.git --branch develop
qtz-discovery-cli scan source ./my-repo --format dashboard --show-score
qtz-discovery-cli scan source ./my-repo --format csv --output findings.csv
qtz-discovery-cli scan source ./my-repo --fail-on critical
qtz-discovery-cli scan source ./my-repo --ignore RSA-001,HASH-001
qtz-discovery-cli scan source ./my-repo --baseline baseline.json
qtz-discovery-cli scan source ./my-repo --git-history --since 30d
qtz-discovery-cli scan source ./my-repo --llm --llm-quality deep
Flags
Source targeting
| Flag | Default | Description |
|---|
--branch | main | Git branch to scan |
--commit | — | Pin to specific commit SHA |
--depth | — | Shallow clone depth |
--token | — | Git access token for private repos |
--exclude | — | Glob patterns to exclude (e.g. vendor/**) |
--git-history | false | Scan git commit history for past crypto patterns |
--since | 90d | Git history time window (e.g. 30d, 2024-01-01) |
Scan control
| Flag | Default | Description |
|---|
--sast | true | Enable SAST (static pattern detection) |
--sca | true | Enable SCA (dependency analysis) |
--ecosystem | all | SCA ecosystem filter: go|npm|python|maven|cargo|ruby|php|nuget|dart|elixir|swift|scala|clojure|haskell|r|erlang|perl|ocaml|nim|all |
Filtering & severity
| Flag | Default | Description |
|---|
--min-severity | — | Filter findings below: critical|high|medium|low|info |
--ignore | — | Suppress specific pattern IDs (e.g. RSA-001,HASH-001) |
--ignore-category | — | Suppress entire categories (e.g. Asymmetric,Hash) |
--fail-on | — | Exit non-zero if findings at or above severity: critical|high|medium|low|info |
Baseline comparison
| Flag | Default | Description |
|---|
--baseline | — | JSON file of previous findings — only report new findings |
--update-baseline | false | Overwrite baseline file with current findings |
Portal upload
| Flag | Env var | Default | Description |
|---|
--source-id | QTZ_SOURCE_ID | — | Source UUID. Omit to auto-create a new source; provide to append scan results to an existing source. |
AI analysis (requires portal connection)
| Flag | Default | Description |
|---|
--llm | false | Enable AI-driven deep analysis (requires --server) |
--llm-quality | auto | Analysis depth: auto|fast|deep|chain |
--llm-max-files | 50 | Max source files sent to AI per scan (0 = unlimited) |
--llm-batch-size | 10 | File chunks per AI server request |
--llm-chunk-window | 300 | Lines per chunk for large-file splitting |
--llm-chunk-overlap | 50 | Overlap lines between adjacent chunks (0 = none) |
--scan-budget | — | Max USD for AI analysis (e.g. 2.50; 0 = unlimited) |
--dry-run | false | Count candidate files without running AI analysis (requires --llm) |
--resume | false | Resume an interrupted AI scan |
--checkpoint-file | — | Explicit checkpoint file path (default: auto-computed) |
Reporting
| Flag | Default | Description |
|---|
--show-score | false | Print transition readiness score (0–100) |
Exit Codes
| Code | Meaning |
|---|
0 | Success |
1 | General error (bad config, auth failure, I/O error, etc.) |
2 | Scan completed but --fail-on threshold was exceeded |
CI/CD Example
- name: Crypto scan
run: |
qtz-discovery-cli scan source . \
--fail-on critical \
--format sarif \
--output results.sarif
See CI/CD Integration for a complete GitHub Actions workflow.