CLI Reference
Complete reference for the scanrook CLI. All subcommands, flags, defaults, environment variables, and example invocations.
Global flags
These flags apply to all subcommands.
| Flag | Description | Default |
|---|---|---|
--cache-dir <DIR> | Cache directory for API results and SBOMs | ~/.scanrook/cache |
--yara <FILE> | YARA rules file for deep scans | (none) |
--nvd-api-key <KEY> | NVD API key for enrichment | $NVD_API_KEY |
--api-base <URL> | ScanRook API base URL for CLI auth/limits | https://scanrook.io |
--api-key <KEY> | ScanRook API key (overrides saved config) | (saved config) |
--progress | Emit progress events to stderr | false |
--progress-file <FILE> | Write NDJSON progress events to a file | (none) |
--log-format <text|json> | Log output format for stderr progress | text |
--log-level <error|warn|info|debug> | Log verbosity threshold | info |
scanrook scan
Smart scan: auto-detect file type (container tar, source tar, ISO, or binary) and produce a report. Accepts either a local file path or a Docker/OCI image reference.
| Flag | Description | Default |
|---|---|---|
-f, --file <PATH> | Path to file (tar/tar.gz/tar.bz2/iso/bin) | (required unless --image) |
--image <REF> | Docker/OCI image reference to scan (e.g., alpine:3.20, ubuntu:latest). Pulls and saves the image automatically. | (required unless --file) |
--format <json|text> | Output format | json |
--out <PATH> | Output file for JSON format | (stdout) |
--refs | Include references in report | false |
--mode <light|deep> | Scan mode (deep enables YARA if available) | light |
--oval-redhat <PATH> | Red Hat OVAL XML for fixed checks in RPM scans | (none) |
scanrook scan --file ./myapp.tar --mode deep --format json --out report.jsonscanrook scan --image alpine:3.20 --format json --out report.jsonscanrook container
Scan a container image from a saved tar archive.
| Flag | Description | Default |
|---|---|---|
-t, --tar <PATH> | Path to container tar | (required) |
--mode <light|deep> | Scan mode | light |
--format <json|text> | Output format | text |
--out <PATH> | Output file for JSON format | (stdout) |
--sbom | Generate SBOM using syft and include in report | false |
--oval-redhat <PATH> | Red Hat OVAL XML for fixed checks | (none) |
scanrook container --tar ./image.tar --sbom --format json --out report.jsonscanrook bin
Scan a binary file (ELF, PE, or Mach-O).
| Flag | Description | Default |
|---|---|---|
-p, --path <PATH> | Path to binary file | (required) |
--format <json|text> | Output format | text |
--out <PATH> | Output file for JSON format | (stdout) |
--mode <light|deep> | Scan mode | light |
scanrook bin --path ./myapp --format json --out report.jsonscanrook source
Scan a source code tarball for dependency vulnerabilities.
| Flag | Description | Default |
|---|---|---|
-t, --tar <PATH> | Path to source tarball | (required) |
--format <json|text> | Output format | text |
--out <PATH> | Output file for JSON format | (stdout) |
scanrook source --tar ./project.tar.gz --format json --out report.jsonscanrook license
Detect the software license of a file or project directory.
| Flag | Description | Default |
|---|---|---|
-p, --path <PATH> | Path to file or directory to scan for license | (required) |
scanrook license --path ./project/scanrook sbom import
Import an SBOM (CycloneDX JSON, SPDX JSON, or Syft JSON) and enrich with vulnerability data.
| Flag | Description | Default |
|---|---|---|
-f, --file <PATH> | Path to SBOM JSON | (required) |
--format <json|text> | Output format | json |
--out <PATH> | Output file | (stdout) |
--mode <light|deep> | Scan mode | light |
--refs | Include references in report | false |
scanrook sbom import --file ./sbom.cdx.json --format json --out sbom-report.jsonscanrook sbom diff
Compare two SBOM snapshots to track package changes over time.
| Flag | Description | Default |
|---|---|---|
--baseline <PATH> | Baseline SBOM JSON path | (required) |
--current <PATH> | Current SBOM JSON path | (required) |
--json | Emit JSON diff output | false |
--out <PATH> | Output file | (stdout) |
scanrook sbom diff --baseline ./sbom-prev.json --current ./sbom-new.json --json --out diff.jsonscanrook sbom policy
Check an SBOM diff against a policy file. Exits with code 1 if the policy is violated.
| Flag | Description | Default |
|---|---|---|
--policy <PATH> | Path to policy file (YAML or JSON) | (required) |
--diff <PATH> | Path to diff JSON from sbom diff --json | (required) |
--report <PATH> | Path to current scan report JSON (optional, used for severity checks) | (none) |
scanrook sbom policy --policy ./policy.yaml --diff ./diff.json --report ./report.jsonscanrook db
Manage the local vulnerability cache.
db status
Show local cache path and size.
scanrook db statusdb check
Check local cache, remote source connectivity, and PostgreSQL cache health.
scanrook db checkdb sources
List vulnerability data sources ScanRook uses (active and planned).
| Flag | Description | Default |
|---|---|---|
--json | Emit JSON output | false |
scanrook db sources --jsondb clear
Remove local cache contents.
scanrook db cleardb update
Refresh selected source caches. Optionally warm up with an artifact scan.
| Flag | Description | Default |
|---|---|---|
--source <all|nvd|osv|redhat> | Source to refresh | all |
-f, --file <PATH> | Optional artifact path for scan-driven warm-up | (none) |
--mode <light|deep> | Scan mode if --file is provided | deep |
--cve <ID> | Optional CVE ID seed for NVD/OSV/Red Hat refresh | (none) |
--errata <ID> | Optional Red Hat errata ID seed (e.g. RHSA-2022:8162) | (none) |
scanrook db update --source all --file ./myapp.tardb download
Download and pre-warm local vulnerability DB/cache for an artifact.
| Flag | Description | Default |
|---|---|---|
-f, --file <PATH> | Artifact path to prefetch advisories for | (required) |
--mode <light|deep> | Scan mode during prefetch | deep |
scanrook db download --file ./myapp.tardb warm
Pre-warm local cache by scanning an artifact.
| Flag | Description | Default |
|---|---|---|
-f, --file <PATH> | Artifact path for warm-up | (required) |
--mode <light|deep> | Scan mode during warm-up | deep |
scanrook db warm --file ./myapp.tarscanrook benchmark
Benchmark ScanRook against Trivy and Grype on the same artifact.
| Flag | Description | Default |
|---|---|---|
-f, --file <PATH> | Artifact path (tar/iso/bin) | (required) |
--out-dir <DIR> | Output directory for summary.csv and tool JSON outputs | benchmark-out |
--profile <warm|cold|no-cache> | Benchmark profile | warm |
scanrook benchmark --file ./myapp.tar --profile cold --out-dir ./bench-resultsscanrook diff
Diff CVE IDs between a ScanRook report and another scanner's output.
| Flag | Description | Default |
|---|---|---|
--ours <PATH> | ScanRook report JSON path | (required) |
--against <PATH> | Other report JSON path (Trivy/Grype/ScanRook) | (required) |
--out <PATH> | Optional JSON output for full diff details | (none) |
scanrook diff --ours ./scanrook-report.json --against ./trivy-report.json --out diff.jsonscanrook auth
Authentication and local CLI credential management.
auth login
Save an API key or start the device authorization flow.
| Flag | Description | Default |
|---|---|---|
--api-key <KEY> | API key to save | (device flow) |
--api-base <URL> | API base URL | https://scanrook.io |
scanrook auth login --api-key sr_live_abc123auth logout
Remove stored API key from local configuration.
scanrook auth logoutOther commands
Identity, limits, and configuration management.
scanrook whoami
Show current caller identity against the ScanRook API.
| Flag | Description | Default |
|---|---|---|
--json | Emit JSON output | false |
scanrook whoami --jsonscanrook limits
Show cloud-enrichment limit status and remaining quota.
| Flag | Description | Default |
|---|---|---|
--json | Emit JSON output | false |
scanrook limitsscanrook config set
Set a config value. Key-value pairs are persisted to the local config file.
scanrook config set telemetry.opt_in trueEnvironment variables
All SCANNER_* environment variables recognized by the CLI.
| Variable | Purpose | Default |
|---|---|---|
NVD_API_KEY | NVD API key for enrichment (also via --nvd-api-key flag) | -- |
DATABASE_URL | PostgreSQL connection string for CVE caching | -- |
SCANNER_CACHE | Override cache directory | ~/.scanrook/cache |
SCANNER_SKIP_CACHE | Set to 1 to disable file caching | (unset) |
SCANNER_NVD_ENRICH | Toggle NVD enrichment (0 to disable) | 1 |
SCANNER_OSV_ENRICH | Toggle OSV enrichment (0 to disable) | 1 |
SCANNER_FORCE_IPV4 | Force IPv4 for outbound HTTP requests | true |
SCANNER_LOG_FORMAT | Log format for progress output | text |
SCANNER_LOG_LEVEL | Minimum log level for progress output | info |
SCANNER_PROGRESS_STDERR | Emit progress events to stderr | (auto) |
SCANNER_PROGRESS_COMPACT | Use compact live panel for interactive terminals | (auto) |
SCANNER_PROGRESS_MAX_LINES | Max lines shown in compact progress panel | 8 |