Scan a local repository
Scan a folder on your machine with the crypto-discovery CLI and upload the normalized
findings to your Obsidian instance. For GitHub repositories, use
Connect GitHub repositories instead — those are discovered
and scanned by a node automatically.
Before you start
- A running Obsidian instance — see Deploy with Docker.
- The
crypto-discoveryCLI — see Install. - A node credential. The Docker stack ships one for local use
(
local-docker-runner-dev-token); otherwise issue one under Nodes in the dashboard.
Run a one-off scan
Point the scanner at a checkout and upload the results:
crypto-discovery scan ./path/to/repo \
--org acme \
--repo payments-service \
--json out/inventory.json \
--md out/report.md--orgis required when uploading to the aggregator.--repooverrides the auto-detected name;--commit-shaattaches the source revision.--jsonand--mdalso write the inventory and a human-readable report locally.
If you ran crypto-discovery init once on the machine, later scans reuse the stored
credential and upload URL, so you can drop --api-key and --upload-url.
Enable optional detectors
Native detection runs by default. External and runtime modules are opt-in per scan:
crypto-discovery scan ./path/to/repo \
--enable-module external/gosec \
--enable-module runtime/certificatesAvailable modules include external/gosec, external/slither, and
runtime/certificates. External modules wrap host-installed tools and only run when you
enable them. Skip generated or vendored directories with --ignore-dir generated.
Register a standalone node
To scan repositories continuously from a dedicated machine, register it as a node rather than running scans by hand:
-
Issue a node credential under Nodes in the dashboard.
-
Initialize the machine once:
crypto-discovery init \ --node-id eu-west-cluster-alpha \ --api-key <credential> \ --upload-url http://localhost:8080/api/v1/scans -
The node claims discovery jobs and uploads results automatically.
Every flag is in the CLI reference.