Appearance
CLI Reference
Complete reference for all VaultGuard CLI commands, flags, and usage patterns.
Global Flags
These flags apply to all commands.
| Flag | Description |
|---|---|
-v, --verbose | Increase verbosity. Use -v for info, -vv for debug, -vvv for trace. Env: VAULTGUARD_VERBOSE |
--help | Print help information |
--version | Print version |
Commands
vaultguard scan
Scan a directory for security issues. Detects secrets, CVEs, misconfigurations, and optionally code quality issues, integrity violations, and typosquatting.
By default, output is condensed: the top 5 findings by severity are printed one per line, followed by a compact summary. Results are auto-saved to .vaultguard/results/latest.json for use with vaultguard fix.
Usage:
bash
vaultguard scan [path] [flags]If path is omitted, the current directory is scanned.
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--format, -f | human|json|sarif | human | Output format. Env: VAULTGUARD_FORMAT |
--json | bool | false | Shorthand for --format json. Conflicts with --format. |
--sarif | bool | false | Shorthand for --format sarif. Conflicts with --format. |
--output, -o | path | none | Write results to a file instead of stdout. |
--config, -c | path | none | Path to a custom config file (overrides auto-discovery). |
--deep | bool | false | Enable deep scan mode with AST analysis. Requires a Pro subscription. |
--no-secrets | bool | false | Disable secret detection. Env: VAULTGUARD_NO_SECRETS |
--no-cve | bool | false | Disable CVE detection. Env: VAULTGUARD_NO_CVE |
--no-misconfig | bool | false | Disable misconfiguration detection. Env: VAULTGUARD_NO_MISCONFIG |
--quality | bool | false | Enable code quality checks (disabled by default). Env: VAULTGUARD_QUALITY |
--integrity | bool | false | Enable integrity verification (lockfile vs installed packages). Env: VAULTGUARD_INTEGRITY |
--typosquat | bool | false | Enable typosquatting detection for dependencies. Env: VAULTGUARD_TYPOSQUAT |
--entropy-threshold | f64 | 5.5 | Override entropy threshold for secret detection. Env: VAULTGUARD_ENTROPY_THRESHOLD |
--show-suppressed | bool | false | Include findings suppressed by inline comments or baselines. |
--baseline | path | none | Path to a baseline file for differential scanning. Only new findings are reported. Env: VAULTGUARD_BASELINE |
--min-severity | critical|high|medium|low|info | none | Drop findings below this severity level. Env: VAULTGUARD_MIN_SEVERITY |
--min-confidence | f64 (0.0-1.0) | none | Drop findings below this confidence score. Env: VAULTGUARD_MIN_CONFIDENCE |
--disable-provider | comma-separated | none | Disable specific detection providers (e.g., aws,github,jwt). Env: VAULTGUARD_DISABLE_PROVIDER |
-v, --verbose | count | 0 | Verbose output. Shows every finding live with full details instead of condensed view. |
Environment Variables:
All scan-related environment variables are listed in the Environment Variables reference.
Output Modes:
| Mode | Trigger | Behavior |
|---|---|---|
| Condensed (default) | No flags | Top 5 findings by severity, one line each, summary, auto-save results |
| Verbose | -v | Every finding printed live with full details, grouped summary with file sections |
| JSON | --json or --format json | Machine-readable JSON to stdout. No auto-save. |
| SARIF | --sarif or --format sarif | SARIF 2.1.0 format to stdout. No auto-save. |
Auto-save is skipped when using --json, --sarif, --output, or when zero findings are detected.
Examples:
bash
# Scan current directory
vaultguard scan
# Scan a specific path with verbose output
vaultguard scan ./src -v
# JSON output piped to jq
vaultguard scan --json | jq '.findings[] | select(.severity == "Critical")'
# SARIF output to file for GitHub Code Scanning
vaultguard scan --sarif -o results.sarif
# Scan secrets only, high severity and above
vaultguard scan --no-cve --no-misconfig --min-severity high
# Scan with baseline (only report new findings)
vaultguard scan --baseline .vaultguard-baseline.json
# Full scan with all modules enabled
vaultguard scan --quality --integrity --typosquat
# Disable noisy providers
vaultguard scan --disable-provider entropy,generic
# Custom entropy threshold
vaultguard scan --entropy-threshold 4.0
# CI pipeline usage
vaultguard scan --sarif -o results.sarif || trueExit Codes:
See Exit Codes for the full list. In short: 0 means no findings, 1 means findings detected, 2 means a runtime error occurred.
vaultguard fix
Display remediation steps for findings from a previous scan. Reads the auto-saved results file (.vaultguard/results/latest.json) by default.
Findings are grouped by type (secrets, CVEs, misconfigurations, quality issues) and sorted by severity within each group. Remediation is provider-aware for secrets and ecosystem-aware for CVEs.
Usage:
bash
vaultguard fix [flags]Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--file | path | .vaultguard/results/latest.json | Path to a specific results JSON file. |
--json | bool | false | Output remediation report as JSON (for CI integration). |
Examples:
bash
# Show remediation for most recent scan
vaultguard fix
# Remediation for a specific results file
vaultguard fix --file .vaultguard/results/latest.json
# JSON output for CI processing
vaultguard fix --jsonTIP
vaultguard fix reads results relative to the current working directory. Either cd into the scanned directory first, or use --file with an absolute path.
vaultguard baseline generate
Generate a baseline file from the current scan findings. The baseline contains SHA256 fingerprints of each finding, independent of line numbers. Subsequent scans using --baseline will only report findings not present in the baseline.
Usage:
bash
vaultguard baseline generate [path] [flags]If path is omitted, the current directory is scanned.
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
-o, --output | path | .vaultguard-baseline.json | Output file path for the generated baseline. Defaults to .vaultguard-baseline.json in the scan root. |
Examples:
bash
# Generate baseline for current directory
vaultguard baseline generate
# Generate baseline for a specific path
vaultguard baseline generate ./src
# Custom output location
vaultguard baseline generate -o baselines/2026-02-23.json
# Typical workflow: generate baseline, then scan for new issues only
vaultguard baseline generate
vaultguard scan --baseline .vaultguard-baseline.jsonvaultguard init
Create a .vaultguard.toml configuration file in the current directory with default settings. Also adds .vaultguard/ to .gitignore if a .gitignore file exists.
Usage:
bash
vaultguard initNo flags. Fails if .vaultguard.toml already exists in the current directory.
Example:
bash
cd my-project
vaultguard initvaultguard config validate
Validate the .vaultguard.toml configuration file. Checks for syntax errors and invalid values.
Usage:
bash
vaultguard config validateReturns exit code 0 if valid, 4 if the configuration is invalid.
vaultguard config show
Display the fully merged configuration. Shows the result of merging built-in defaults, user config (~/.vaultguard/config.toml), project config (.vaultguard.toml), environment variables, and CLI flags.
Usage:
bash
vaultguard config showDebugging unexpected behavior
If a flag isn't having the effect you expect, run config show to see the final merged config. It reveals which layer each value comes from.
vaultguard ignore init
Create a .vaultguard.ignore file in the current directory with a template structure.
Usage:
bash
vaultguard ignore initvaultguard ignore add
Add an ignore rule to .vaultguard.ignore. Requires at minimum a file path and a reason.
Usage:
bash
vaultguard ignore add --file <path> --reason <reason> [--line <number>]Flags:
| Flag | Type | Required | Description |
|---|---|---|---|
--file | string | yes | File path to ignore. |
--line | u32 | no | Specific line number to ignore. If omitted, the entire file is ignored. |
--reason | string | yes | Reason for the ignore rule (for audit trail). |
Examples:
bash
# Ignore an entire file
vaultguard ignore add --file tests/fixtures/fake_secrets.py --reason "Test fixtures with dummy credentials"
# Ignore a specific line
vaultguard ignore add --file config/database.yml --line 12 --reason "Development-only default, not a real credential"Always provide a reason
The --reason flag is required and serves as an audit trail. Write reasons that explain why the finding is safe to ignore, not just what the finding is.
vaultguard ignore list
List all ignore rules defined in .vaultguard.ignore.
Usage:
bash
vaultguard ignore listvaultguard login
Log in with a VaultGuard API token. Reads the token interactively from the terminal or from stdin (for piped input). The token is stored in ~/.vaultguard/credentials with 600 permissions.
Usage:
bash
vaultguard loginExamples:
bash
# Interactive login
vaultguard login
# Piped token (CI usage)
echo "$VAULTGUARD_TOKEN" | vaultguard loginINFO
Token validation against the VaultGuard API is not yet implemented. The token is stored locally without server-side verification.
vaultguard logout
Remove stored credentials from ~/.vaultguard/credentials.
Usage:
bash
vaultguard logoutvaultguard whoami
Display the currently authenticated user based on stored credentials.
Usage:
bash
vaultguard whoamiReturns exit code 3 if no credentials are stored.
vaultguard update
Check for and install the latest version of VaultGuard. Downloads the binary from releases.vaultguard.sh, verifies the SHA256 checksum, and validates the minisign signature before replacing the current binary.
Usage:
bash
vaultguard update [flags]Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--force | bool | false | Force update even if already on the latest version. |
Examples:
bash
# Check for updates and install
vaultguard update
# Force reinstall current version
vaultguard update --forcevaultguard version
Print the VaultGuard CLI name, version number, and edition.
Usage:
bash
vaultguard versionExample output:
vaultguard 0.6.0Configuration Priority
Settings are resolved in the following order (highest priority wins):
- CLI flags
- Environment variables (
VAULTGUARD_*) - Project config (
.vaultguard.tomlin the scanned directory) - User config (
~/.vaultguard/config.toml) - Built-in defaults
Scan Modules
| Module | Default | Enable | Disable |
|---|---|---|---|
| Secret detection | enabled | -- | --no-secrets |
| CVE detection | enabled | -- | --no-cve |
| Misconfiguration | enabled | -- | --no-misconfig |
| Code quality | disabled | --quality | -- |
| Integrity verification | disabled | --integrity | -- |
| Typosquatting | disabled | --typosquat | -- |
Opt-in modules
Quality, integrity, and typosquatting checks are disabled by default because they can be noisy in certain codebases. Enable them explicitly when you want the extra coverage.
Supported Providers
The --disable-provider flag accepts any of the following provider names (case-insensitive):
aws, github, gitlab, openai, stripe, supabase, firebase, database, discord, slack, generic, entropy, misconfig, quality, osv, nvd, cache, integrity, atlassian, vault, jwt, pem