CLI

The Hullchecks CLI

Inspect a project from your terminal. It runs the scanners locally in a sandbox — your code is read, never executed, and never leaves your machine.

Run it

No install needed with npx:

terminal

npx @hullchecks/cli .

Or install it globally:

terminal

npm i -g @hullchecks/cli
hullchecks .

Examples

terminal

# scan a folder
hullchecks ./apps/web

# scan a zip
hullchecks ./build.zip

# machine-readable output
hullchecks . --json > report.json

# fail the build on any high-or-critical finding
hullchecks . --fail-on high

Options

<path> — Directory or .zip to inspect. Defaults to the current directory.
--json — Emit the full report as JSON (for CI or piping to jq).
--fail-on <level> — Exit non-zero at this severity or above: critical | high | medium | none. Default: critical.
--semgrep-config <path> — Use your own Semgrep rules instead of the bundled offline set.
--help / --version — Print usage or the version.

Exit codes

0 — Inspection ran; nothing at or above the --fail-on level.
1 — Findings at or above the --fail-on level (use this to break the build).
2 — The CLI couldn't run — bad arguments or a scanner missing from PATH.

Requirements

Node 20+. The CLI shells out to the pinned scanners (Gitleaks, Semgrep, Trivy); install them once, or run the published Docker image which bundles them — see CI & GitHub.