CLI reference
The crypto-discovery CLI scans repositories and uploads normalized inventories. Related
binaries: crypto-discovery-api (control plane), crypto-discovery-runner (scanner node
agent), and crypto-discovery-mcp (knowledge server).
Install
The CLI is built from source. From a checkout of the repository, with Go 1.26+ installed:
go build -o crypto-discovery ./cmd/crypto-discoveryThat produces a crypto-discovery binary you can move onto your PATH. Prebuilt, signed
binaries are not published yet — build from source for now.
scan
crypto-discovery scan <path> [flags]| Flag | Purpose |
|---|---|
--org | Organization to upload to (required for upload). |
--repo | Override the detected repository name. |
--commit-sha | Attach source revision metadata. |
--json | Write the normalized inventory JSON. |
--md | Write a Markdown report. |
--upload-url | Protected ingest endpoint. |
--api-key | Node-issued discovery credential. |
--enable-module | Opt into a module: external/gosec, external/slither, runtime/certificates. |
--ignore-dir | Append directory names to the default ignore set. |
--timeout | Bound the scan lifetime. |
Upload settings resolve in order: explicit flags → local config written by
crypto-discovery init → the CRYPTO_DISCOVERY_API_KEY environment variable.
init
Stores node_id, api_key, and upload_url in the user config directory with 0600
permissions, so later scans can omit them:
crypto-discovery init \
--node-id eu-west-cluster-alpha \
--api-key ndc_example_node_credential \
--upload-url http://localhost:8080/api/v1/scansAPI and node environment variables are listed in Configuration.