grekt scan
Scan artifacts for security issues using AgentVerus. Runs entirely on your machine, no data leaves the system.
bash
grekt scan [source] [--json] [--fail-on <badge>]Arguments
| Argument | Description |
|---|---|
source | Optional. Artifact source to scan. Omit to scan all installed artifacts. |
Supported source formats:
@scope/nameor@scope/name@1.0.0— registry artifactgithub:user/repo— GitHub repositorygitlab:user/repo— GitLab repository./path/to/dir— local directory
Options
| Option | Description |
|---|---|
--json | Output results as JSON |
--fail-on <badge> | Exit with code 1 if any artifact badge meets or exceeds this threshold |
Valid --fail-on values: certified, conditional, suspicious, rejected.
Trust and --fail-on
Artifacts signed with a valid HMAC signature (via grekt trust) are excluded from --fail-on evaluation. This requires GREKT_TRUST_KEY to be set in the environment during scanning.
- Without
GREKT_TRUST_KEY: All artifacts are evaluated against the threshold (safe default). - With
GREKT_TRUST_KEY: Only artifacts with a matching HMAC signature are treated as trusted.
For the full CI/CD setup, see Security gating.
Examples
Scan all installed artifacts:
bash
grekt scanScan a registry artifact before installing:
bash
grekt scan @scope/my-artifactScan a GitHub source:
bash
grekt scan github:user/repoScan a local directory:
bash
grekt scan ./my-artifactJSON output:
bash
grekt scan @scope/my-artifact --jsonFail if any artifact is suspicious or worse:
bash
grekt scan --fail-on suspiciousOutput
Scanning @scope/my-artifact...
Score: 95 / 100
Badge: certified
Findings (1):
i [info] ASST-007: Minor pattern detected
Evidence: "example evidence text"
→ Review and verify this is intentionalSee also
- Security gating in CI/CD — Pipeline setup, thresholds, HMAC trust workflow
- Security scanning guide — Trust badges, risk labels, scanner details
- grekt trust — Sign an artifact as trusted
- grekt untrust — Remove trusted status