Your first scan
Point cyscan at any directory. It walks the tree, respects .gitignore, detects file languages, and runs every rule that applies.
Scan the current directory
cyscan scan .
Typical output:
[high] CBR-PY-SQLI-STRING-CONCAT app/users.py:42:17
String-concatenated SQL into cursor.execute
│ cursor.execute("SELECT * FROM users WHERE email = '" + email + "'")
[crit] CBR-SECRETS-AWS-KEY infra/legacy.py:6:22
Hardcoded AWS access key
│ AWS_ACCESS_KEY = "AKIA1234567890ABCDEF"
3 finding(s)
Each finding shows:
- Severity —
crit,high,med,low,info - Rule ID — stable across releases, use it for suppression
- Location —
path:line:column - Title + a snippet of the offending code
Scoping the scan
# Scan a single file
cyscan scan src/auth.py
# Scan a subtree
cyscan scan backend/
# Use a custom rule pack
cyscan scan . --rules ./my-org-rules
# Parallelism — defaults to CPU count
cyscan scan . --jobs 4
Cyscan respects .gitignore automatically; you don't need --exclude for standard build artefacts.
Changing the output format
cyscan scan . --format text # default, human-readable
cyscan scan . --format json # one JSON array, pretty-printed
cyscan scan . --format sarif # SARIF 2.1.0 — feeds GitHub code scanning
See SARIF output for the schema details.
Failing CI on findings
--fail-on <severity> exits non-zero if any finding is at or above that level:
cyscan scan . --fail-on high # exit 1 if a high+ finding exists
cyscan scan . --fail-on critical # stricter — only critical blocks
Typical CI gate pattern:
# .github/workflows/cyscan.yml
- name: SAST
run: cyscan scan . --format sarif --fail-on high > cyscan.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: cyscan.sarif }
The SARIF upload lands in your repo's Security → Code scanning tab.
Listing available rules
cyscan rules list
Prints every rule in the active pack:
CBR-PY-SQLI-STRING-CONCAT high String-concatenated SQL into cursor.execute
CBR-SECRETS-AWS-KEY crit Hardcoded AWS access key
CBR-GO-TLS-INSECURE-SKIP-VERIFY high tls.Config{InsecureSkipVerify: true}
...
21 rule(s) loaded
Validate a custom pack without scanning:
cyscan rules validate --rules ./my-org-rules
What gets scanned
Cyscan identifies files by extension:
| Language | Extensions |
|---|---|
| Python | .py |
| JavaScript | .js, .jsx, .mjs, .cjs |
| TypeScript | .ts, .tsx, .mts, .cts |
| Go | .go |
Plus config / lockfile types picked up by supply-chain rules (see Supply-chain scanning).
Next step
- Writing rules — author your own detections
- Autofix — apply
fix:blocks automatically