Installing & updating scd
scd is available on npm and GitHub.
Requirements
- Node.js 22 or later
- Git
- npm (included with Node.js)
Windows: Windows 10 (build 1803) or later. Git for Windows must be installed (not WSL). Windows Terminal or PowerShell recommended — cmd.exe has limited colour support.
1. Install Node.js
If you already have Node.js 22 or later installed, skip this step.
macOS
The recommended approach is nvm (Node Version Manager):
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# Restart your terminal, then:
nvm install 22
nvm use 22
node --version # should show v22.x.x
Alternatively, download the installer directly from nodejs.org.
Linux
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# Restart your terminal, then:
nvm install 22
nvm use 22
node --version
Or use your distribution's package manager — but verify the version is 22 or later. Many distros ship an older Node.js by default.
Windows
Download and run the Node.js 22 LTS installer from nodejs.org. The installer includes npm.
Verify in PowerShell or Command Prompt:
node --version # should show v22.x.x
npm --version
If npm scripts fail with a policy error, run this once in an elevated PowerShell window:
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
2. Install scd
npm install -g @activemind/scd
scd --version # verify
Package page: npmjs.com/package/@activemind/scd
If you have cloned the repository and want to run from source:
cd scd
npm install
npm link
To remove the dev link: npm unlink -g @activemind/scd
3. Install git hooks
scd uses git hooks to scan your code automatically — secrets scanning before commits, full OWASP scan before pushes. The hooks are installed globally on your machine, so every git repository you work in is protected automatically.
scd install
Run this once per machine. It sets up the hooks in ~/.scd/hooks/ and configures git to use them globally.
Verify the setup:
scd doctor
To remove the hooks from a machine:
scd uninstall
This removes the global hooks and the git configuration, but preserves your scan history and exceptions in ~/.scd/.
4. Register a project
Once the hooks are installed, register each project you want to work with:
cd /path/to/your/project
scd init
scd scan # run your first scan
scd init creates a per-project config in ~/.scd/repos/ — nothing is written to your repository.
scd install vs scd init
scd install | scd init | |
|---|---|---|
| Scope | Machine-wide | Per project |
| Run | Once per machine | Once per project |
| What it does | Installs git hooks for all repos | Registers the project, creates config |
| Touches the repo | No | No |
scd install is the global step — without it, hooks do not run. scd init is the per-project step. scd doctor will tell you clearly if either step has been missed.
Where scd stores data
All scan history, configuration, and reports are stored outside your repositories:
~/.scd/ # macOS / Linux
%USERPROFILE%\.scd\ # Windows
config.yml ← central URL, token, timeouts, global defaults
scope.yml ← global scope exclusions (all repos)
repos/
{repoId}/
meta.json ← repo identity, last scan, timestamps
config.yml ← per-repo settings, rule configuration
exceptions.jsonl ← accepted/ignored exceptions (append-only)
scope.yml ← per-repo scope exclusions
scope-server.yml ← server-managed scope (read-only)
audit.log ← full scan history (append-only)
last-scan.json ← latest scan cache
scans/ ← one JSON per scan (never overwritten)
reports/ ← generated HTML/MD/JSON reports
exports/ ← exported JSON from scd export-findings
Uninstalling scd does not remove store data — your scan history is preserved.
Connect to scd-server (Team)
If your organisation runs scd-server, connect the CLI:
scd configure --central-url http://your-server:3000
scd configure --token <your-personal-token>
scd doctor # verify connection
Your admin creates your user account in Admin → Users on scd-server. The personal token is shown once at creation — store it securely. If you lose it, ask your admin to regenerate it.
Then run a scan to activate your installation on the server:
scd scan
Keeping scd up to date
Check your version and whether a newer one exists
scd --version # the version you have installed
npm view @activemind/scd version # the latest version published on npm
npm outdated -g @activemind/scd # npm's own up-to-date check (global installs)
If your version is behind, update with the command that matches how scd was installed (below).
If your machine is connected to scd-server, scd doctor already warns you when your CLI is older than the version your server requires.
How was scd installed?
The right update command depends on how scd was installed. To find out, locate the running scd and resolve any symlinks:
macOS / Linux
which scd # path to the running scd
readlink -f "$(which scd)" # resolve symlinks — reveals an npm link / dev source
npm ls -g @activemind/scd # is it a global npm package?
npm prefix -g # where global npm packages live
Windows (PowerShell)
Get-Command scd | Select-Object Source # full path under .Source
where.exe scd # use where.exe, not bare "where"
npm ls -g @activemind/scd
npm prefix -g # typically %AppData%\npm
Interpreting the result:
| The path resolves to… | Installed via | Update with |
|---|---|---|
the global npm prefix (.../bin/scd, or %AppData%\npm\scd.cmd) | npm install -g | npm install -g @activemind/scd@latest |
a project's node_modules/.bin/ | local project dependency | npm install @activemind/scd@latest in that project |
| a symlink into a source directory | npm link (development) | git pull + npm install in the source repo |
| nothing found | not on PATH | (re)install — see Install scd |
On Windows, npm installs a scd.cmd shim in the global prefix, so where.exe scd points at the shim rather than the JavaScript file — that is expected and is enough to tell the install method.
Update to the latest version
For the common case (a global npm install):
npm install -g @activemind/scd@latest # latest published version
npm install -g @activemind/scd@1.5.0 # or pin a specific version
For a development install (npm link), update the source instead:
cd <your scd source repo>
git pull
npm install
The commands above apply when scd was installed from npm. If you instead installed by downloading and verifying the signed release from dist.securecodebydesign.com (see Verifying releases), update by downloading and verifying the new release the same way, then reinstalling from the verified tarball. scd is a Node.js package in both cases — there is no separate standalone binary to replace.
Troubleshooting
Having problems? See the Troubleshooting page — the installation section there covers scd not found, PATH issues, and Node.js version conflicts.
Verifying releases
Every release is signed with minisign — a simple, auditable tool for verifying that a file has not been tampered with. minisign is available for macOS, Linux, and Windows.
To verify a release independently of npm and GitHub, using Activemind's own distribution server as a third source:
# Download checksums and signature (replace VERSION with the version you installed, e.g. v1.4.0)
curl -O https://dist.securecodebydesign.com/scd/VERSION/checksums.txt
curl -O https://dist.securecodebydesign.com/scd/VERSION/checksums.txt.minisig
# Download the public key
curl -O https://dist.securecodebydesign.com/scd/minisign.pub
# Verify
minisign -Vm checksums.txt -p minisign.pub
The checksums file contains SHA-256 and SHA-512 hashes of the npm package tarball. The public key is also committed to the repository root as minisign.pub — cross-reference both sources for the strongest guarantee.
scd version