Quick Start
This guide gets you from installation to your first scan in a few minutes. If you haven't installed scd yet, start with the Installation guide.
Your first scan
# Go to any project you work on
cd /path/to/your/project
# Register the project and run a scan
scd init
scd scan
scd init registers the project in ~/.scd/repos/ — nothing is written to your repository. You only need to run this once per project.
scd scan runs a full security scan and prints a summary to the terminal:
─── Summary ────────────────────────────────────────────────────────────
2 CRITICAL
Manual scan · 2 findings total · scan: full · trust: balanced
────────────────────────────────────────────────────────────────────────
Top issues:
CRIT 1 SECRET-008 Stripe Secret Key
CRIT 1 JS-SECRET-001 Hardcoded API key or secret in source code
Most affected files:
CRIT 2 users.js (Lines: 8)
──────────────────────────────────────────────────────────────
Full details: scd report open or scd report serve (Linux/Firefox)
All findings: scd scan --verbose or scd export-findings
Explore findings
# List open findings with their IDs
scd findings
# See full detail for a specific finding
scd findings f-c057b31ef5
# Show all findings with problem description and fix guidance
scd findings --verbose
Findings are grouped by severity, each row led by its finding ID — the ID you pass to scd findings <id>, scd accept, and scd ignore:
Findings Accumulated · last scan just now · open findings only
CRITICAL (2)
f-c057b31ef5 CRIT Stripe Secret Key users.js:8 SECRET-008
f-cef6199bb4 CRIT Hardcoded API key or secret in source code users.js:8 JS-SECRET-001
2 finding(s) 2 critical
scd accept <finding-id> --reason "..." or scd ignore <finding-id> --reason "..."
Generate a report
# Generate an HTML report from the last scan
scd report
# Open the report in your browser
scd report open # macOS / Windows
scd report serve # Linux / Firefox (starts a local HTTP server)
Reports include fix guidance for every finding.
Handle a finding
When a finding is a false positive or an accepted risk, you can create an exception:
# Accept a risk (pending team lead approval if connected to scd-server)
scd accept f-c057b31ef5 --reason "Input validated upstream, parameterized internally"
# Mark as false positive
scd ignore f-cef6199bb4 --reason "Test fixture, not shipped" --tag false_positive
Exceptions are stored in ~/.scd/repos/{repoId}/exceptions.jsonl — never as code comments.
Git hooks
Once you have run scd install, git hooks run automatically:
- pre-commit — fast secrets scan. Blocks the commit if secrets are found.
- pre-push — full OWASP scan. Blocks the push if CRITICAL or HIGH findings are found (configurable).
You don't need to do anything — just work normally. scd runs in the background.
Connect to scd-server (Team)
scd-server requires a Team subscription.
If your organisation runs scd-server, your admin will create a user account for you in Admin → Users and share a personal CLI token. Tokens are shown once at creation.
scd configure --central-url http://your-server:3000
scd configure --token <your-personal-token>
scd doctor # verify connection
Run a scan to activate your installation on the server:
scd scan
Once connected, scans are pushed to the team dashboard automatically, and you can sync exception approvals:
scd sync
See scd-server overview for more.
Next steps
- CLI reference — all commands and options
- Configuration — per-repo scan settings
- scd-server — team dashboard, exception approval, compliance reports