{scd}

scd CLI

The security scanner that
lives in your workflow

Open-source SAST scanner for JavaScript, TypeScript, Python, PHP and ASP.NET. 189+ OWASP rules, git hooks, and taint analysis — zero repo footprint, zero friction.

View on GitHub Explore scd-server →

$ npm install -g @activemind/scd npmjs →

~/projects/my-app

$ scd scan

234 source · 41 test (separate context) · 8 excluded

✖ CRITICAL SQL-001 Unsanitised input in user query src/api/users.js:142

⚠ HIGH JWT-003 Weak signing algorithm detected src/auth/tokens.js:38

⚠ HIGH XSS-002 Unescaped output in template src/views/profile.ejs:91

✔ Scan complete — code never left your machine

→ scd report open scd findings --verbose

What makes scd different

Built for developers
who ship fast

scd disappears into your workflow. Scanning happens automatically via git hooks — findings stay local, nothing slows your team down.

🔍

Taint analysis

Tracks user-controlled data from HTTP input through your code to dangerous sinks. Catches real injection vulnerabilities, not just surface-level pattern matches.

OWASP A03

🪝

Git hooks

Pre-commit secrets scan blocks exposed credentials before they reach your repo. Pre-push full OWASP scan runs before code leaves your machine. Automatic after scd install.

Pre-commit · Pre-push

📁

Context-aware scanning

Files are classified as source, test, config, frontend, or backend before any rule runs. Test files are scanned separately — false positives that would trip in a test fixture are suppressed in production findings. More context types are being added continuously.

Precision

📊

Local reports

HTML, Markdown, and JSON reports with per-finding fix guidance. Every scan stored with a unique ID — regenerate any historical report at any time with scd report --scan <id>.

HTML · MD · JSON

✅

Exception management

Accept risks or mark false positives by finding ID — never by editing source comments. Exceptions are hash-bound to the relevant code line: if the code changes, re-approval is required automatically.

Auditable

⚙️

CI/CD ready

Auto-detects non-interactive contexts. Use --log-to for explicit pipeline control. JSON output for integration with external tooling. Works as a subprocess without a TTY.

Pipeline-friendly

Quick start

Up and running in four commands

After setup, scd runs automatically on every commit and push — no manual trigger needed.

Install scd

Requires Node.js 22 or later on macOS, Linux, or Windows. The -g flag installs scd globally so the scd command is available everywhere.

$ npm install -g @activemind/scd

Install git hooks

Run once per machine. Sets up global git hooks in ~/.scd/hooks/ and configures git to use them across every repository automatically.

$ scd install

Register your project

Run once per project. Creates a config file in ~/.scd/repos/ — nothing is written to your repository. Your repo stays clean.

$ cd /path/to/your/project && scd init

Run your first scan

From here, git hooks trigger scans automatically. Run on demand at any time — add --verbose for file-grouped and rule-grouped detail.

$ scd scan

Platform-specific setup, Node.js instructions, and troubleshooting in the documentation →

Languages & coverage

JS
JavaScriptNode.js, Express, browser — injection, XSS, JWT, logging, secrets and more
TS
TypeScriptTypeScript-specific rule set on top of full JavaScript coverage
PY
PythonDjango, Flask, FastAPI — SQL injection, command injection, deserialization
PHP
PHPDirect input to dangerous functions, session handling, file inclusion
.NET
ASP.NETC# and ASPX markup — injection, authentication, ViewState, identity patterns

Configuration & data files

Secrets and sensitive data scanning goes beyond source code — scd inspects all files that commonly leak credentials or data.

.env .json .yaml / .yml .toml .log .txt .csv .sql .conf / .cfg / .ini .xml .pem / .key / .p12 .sh / .bash

189+ rules.
OWASP Top 10

Every rule maps to OWASP Top 10 categories — the same categories used in NIS2 and EU Cyber Resilience Act compliance documentation. Findings automatically carry the right regulatory context.

One runtime dependency. Intentionally lightweight — a small dependency surface is itself a security decision. Verify with npm audit and npm list at any time.

A01 Broken Access Control A02 Cryptographic Failures A03 Injection A04 Insecure Design A05 Security Misconfiguration A07 Auth Failures A08 Software Integrity A09 Logging Failures

Privacy & trust levels

"Your code stays where you put it."

🔒

maximum_privacy

Every external API call blocked — SAST scanning runs fully locally today. The strongest guarantee for codebases where no data can leave the network.

Coming soon — Deep AI analysis via a local AI provider: full AI power, zero external communication.

⚖️

balanced

Default. Deep analysis via Claude API available as an explicit opt-in today. Appropriate for the vast majority of commercial codebases.

Coming soon — Local AI provider as preferred option — local first, cloud AI as fallback opt-in.

🧠

maximum_analysis

Cloud AI (Claude API) for maximum analysis depth. Only the triggering code line and 8 lines of surrounding context are sent — whole files are never transmitted. Requires scd-server.

Set per repository: scd repo configure --trust-level maximum_privacy. Every scan records code_left_environment: false in its audit output — verifiable, per finding, in every report.

Scale with your team

scd CLI is the foundation.
scd-server brings the team.

When you're ready for aggregated findings across all repositories and developers, exception approval workflows, and CRA compliance reports — scd-server runs in your own infrastructure.

Explore scd-server → Talk to Activemind

The security scanner thatlives in your workflow

Built for developerswho ship fast