Skip to main content

Installing & updating scd

scd is available on npm and GitHub.

Requirements

  • Node.js 22 or later
  • Git
  • npm (included with Node.js)

Windows: Windows 10 (build 1803) or later. Git for Windows must be installed (not WSL). Windows Terminal or PowerShell recommended — cmd.exe has limited colour support.


1. Install Node.js

If you already have Node.js 22 or later installed, skip this step.

macOS

The recommended approach is nvm (Node Version Manager):

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# Restart your terminal, then:
nvm install 22
nvm use 22
node --version # should show v22.x.x

Alternatively, download the installer directly from nodejs.org.

Linux
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# Restart your terminal, then:
nvm install 22
nvm use 22
node --version

Or use your distribution's package manager — but verify the version is 22 or later. Many distros ship an older Node.js by default.

Windows

Download and run the Node.js 22 LTS installer from nodejs.org. The installer includes npm.

Verify in PowerShell or Command Prompt:

node --version # should show v22.x.x
npm --version
PowerShell execution policy

If npm scripts fail with a policy error, run this once in an elevated PowerShell window:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

2. Install scd

npm install -g @activemind/scd
scd --version # verify

Package page: npmjs.com/package/@activemind/scd

Development install

If you have cloned the repository and want to run from source:

cd scd
npm install
npm link

To remove the dev link: npm unlink -g @activemind/scd


3. Install git hooks

scd uses git hooks to scan your code automatically — secrets scanning before commits, full OWASP scan before pushes. The hooks are installed globally on your machine, so every git repository you work in is protected automatically.

scd install

Run this once per machine. It sets up the hooks in ~/.scd/hooks/ and configures git to use them globally.

Verify the setup:

scd doctor

To remove the hooks from a machine:

scd uninstall

This removes the global hooks and the git configuration, but preserves your scan history and exceptions in ~/.scd/.


4. Register a project

Once the hooks are installed, register each project you want to work with:

cd /path/to/your/project
scd init
scd scan # run your first scan

scd init creates a per-project config in ~/.scd/repos/ — nothing is written to your repository.

scd install vs scd init

scd installscd init
ScopeMachine-widePer project
RunOnce per machineOnce per project
What it doesInstalls git hooks for all reposRegisters the project, creates config
Touches the repoNoNo

scd install is the global step — without it, hooks do not run. scd init is the per-project step. scd doctor will tell you clearly if either step has been missed.


Where scd stores data

All scan history, configuration, and reports are stored outside your repositories:

~/.scd/ # macOS / Linux
%USERPROFILE%\.scd\ # Windows

config.yml ← central URL, token, timeouts, global defaults
scope.yml ← global scope exclusions (all repos)
repos/
{repoId}/
meta.json ← repo identity, last scan, timestamps
config.yml ← per-repo settings, rule configuration
exceptions.jsonl ← accepted/ignored exceptions (append-only)
scope.yml ← per-repo scope exclusions
scope-server.yml ← server-managed scope (read-only)
audit.log ← full scan history (append-only)
last-scan.json ← latest scan cache
scans/ ← one JSON per scan (never overwritten)
reports/ ← generated HTML/MD/JSON reports
exports/ ← exported JSON from scd export-findings

Uninstalling scd does not remove store data — your scan history is preserved.


Connect to scd-server (Team)

If your organisation runs scd-server, connect the CLI:

scd configure --central-url http://your-server:3000
scd configure --token <your-personal-token>
scd doctor # verify connection

Your admin creates your user account in Admin → Users on scd-server. The personal token is shown once at creation — store it securely. If you lose it, ask your admin to regenerate it.

Then run a scan to activate your installation on the server:

scd scan

Keeping scd up to date

Check your version and whether a newer one exists

scd --version # the version you have installed
npm view @activemind/scd version # the latest version published on npm
npm outdated -g @activemind/scd # npm's own up-to-date check (global installs)

If your version is behind, update with the command that matches how scd was installed (below).

scd doctor

If your machine is connected to scd-server, scd doctor already warns you when your CLI is older than the version your server requires.

How was scd installed?

The right update command depends on how scd was installed. To find out, locate the running scd and resolve any symlinks:

macOS / Linux

which scd # path to the running scd
readlink -f "$(which scd)" # resolve symlinks — reveals an npm link / dev source
npm ls -g @activemind/scd # is it a global npm package?
npm prefix -g # where global npm packages live

Windows (PowerShell)

Get-Command scd | Select-Object Source # full path under .Source
where.exe scd # use where.exe, not bare "where"
npm ls -g @activemind/scd
npm prefix -g # typically %AppData%\npm

Interpreting the result:

The path resolves to…Installed viaUpdate with
the global npm prefix (.../bin/scd, or %AppData%\npm\scd.cmd)npm install -gnpm install -g @activemind/scd@latest
a project's node_modules/.bin/local project dependencynpm install @activemind/scd@latest in that project
a symlink into a source directorynpm link (development)git pull + npm install in the source repo
nothing foundnot on PATH(re)install — see Install scd

On Windows, npm installs a scd.cmd shim in the global prefix, so where.exe scd points at the shim rather than the JavaScript file — that is expected and is enough to tell the install method.

Update to the latest version

For the common case (a global npm install):

npm install -g @activemind/scd@latest # latest published version
npm install -g @activemind/scd@1.5.0 # or pin a specific version

For a development install (npm link), update the source instead:

cd <your scd source repo>
git pull
npm install
npm install vs verified download

The commands above apply when scd was installed from npm. If you instead installed by downloading and verifying the signed release from dist.securecodebydesign.com (see Verifying releases), update by downloading and verifying the new release the same way, then reinstalling from the verified tarball. scd is a Node.js package in both cases — there is no separate standalone binary to replace.


Troubleshooting

Having problems? See the Troubleshooting page — the installation section there covers scd not found, PATH issues, and Node.js version conflicts.


Verifying releases

Every release is signed with minisign — a simple, auditable tool for verifying that a file has not been tampered with. minisign is available for macOS, Linux, and Windows.

To verify a release independently of npm and GitHub, using Activemind's own distribution server as a third source:

# Download checksums and signature (replace VERSION with the version you installed, e.g. v1.4.0)
curl -O https://dist.securecodebydesign.com/scd/VERSION/checksums.txt
curl -O https://dist.securecodebydesign.com/scd/VERSION/checksums.txt.minisig

# Download the public key
curl -O https://dist.securecodebydesign.com/scd/minisign.pub

# Verify
minisign -Vm checksums.txt -p minisign.pub

The checksums file contains SHA-256 and SHA-512 hashes of the npm package tarball. The public key is also committed to the repository root as minisign.pub — cross-reference both sources for the strongest guarantee.

What version am I running?
scd version