Skip to main content

Quick Start

This guide gets you from installation to your first scan in a few minutes. If you haven't installed scd yet, start with the Installation guide.


Your first scan

# Go to any project you work on
cd /path/to/your/project

# Register the project and run a scan
scd init
scd scan

scd init registers the project in ~/.scd/repos/ — nothing is written to your repository. You only need to run this once per project.

scd scan runs a full security scan and prints a summary to the terminal:

─── Summary ────────────────────────────────────────────────────────────
2 CRITICAL
Manual scan · 2 findings total · scan: full · trust: balanced
────────────────────────────────────────────────────────────────────────

Top issues:
CRIT 1 SECRET-008 Stripe Secret Key
CRIT 1 JS-SECRET-001 Hardcoded API key or secret in source code

Most affected files:
CRIT 2 users.js (Lines: 8)

──────────────────────────────────────────────────────────────
Full details: scd report open or scd report serve (Linux/Firefox)
All findings: scd scan --verbose or scd export-findings

Explore findings

# List open findings with their IDs
scd findings

# See full detail for a specific finding
scd findings f-c057b31ef5

# Show all findings with problem description and fix guidance
scd findings --verbose

Findings are grouped by severity, each row led by its finding ID — the ID you pass to scd findings <id>, scd accept, and scd ignore:

Findings Accumulated · last scan just now · open findings only

CRITICAL (2)
f-c057b31ef5 CRIT Stripe Secret Key users.js:8 SECRET-008
f-cef6199bb4 CRIT Hardcoded API key or secret in source code users.js:8 JS-SECRET-001

2 finding(s) 2 critical
scd accept <finding-id> --reason "..." or scd ignore <finding-id> --reason "..."

Generate a report

# Generate an HTML report from the last scan
scd report

# Open the report in your browser
scd report open # macOS / Windows
scd report serve # Linux / Firefox (starts a local HTTP server)

Reports include fix guidance for every finding.


Handle a finding

When a finding is a false positive or an accepted risk, you can create an exception:

# Accept a risk (pending team lead approval if connected to scd-server)
scd accept f-c057b31ef5 --reason "Input validated upstream, parameterized internally"

# Mark as false positive
scd ignore f-cef6199bb4 --reason "Test fixture, not shipped" --tag false_positive

Exceptions are stored in ~/.scd/repos/{repoId}/exceptions.jsonl — never as code comments.


Git hooks

Once you have run scd install, git hooks run automatically:

  • pre-commit — fast secrets scan. Blocks the commit if secrets are found.
  • pre-push — full OWASP scan. Blocks the push if CRITICAL or HIGH findings are found (configurable).

You don't need to do anything — just work normally. scd runs in the background.


Connect to scd-server (Team)

scd-server requires a Team subscription.

If your organisation runs scd-server, your admin will create a user account for you in Admin → Users and share a personal CLI token. Tokens are shown once at creation.

scd configure --central-url http://your-server:3000
scd configure --token <your-personal-token>
scd doctor # verify connection

Run a scan to activate your installation on the server:

scd scan

Once connected, scans are pushed to the team dashboard automatically, and you can sync exception approvals:

scd sync

See scd-server overview for more.


Next steps