Spectral is a CLI (Command Line Interface) driven toolchain.

If you have to remember just one thing

For testing and playing around interactively:

$HOME/.spectral/spectral run

And in your CI:

$HOME/.spectral/spectral scan

🦸‍♀️ Command line driven? Our thesis is that people can get value the fastest, by wielding Spectral as a tool. We try hard to make that true for Windows users as well with PowerShell.


RunRun a scan interactively, for exploring or auditing
scanRun a scan from your CI/pipeline
initInitialize configuration in your repo. This is how you customize ignores, detectors, and more. Once your run the init command a hidden .spectral folder will be created & you can customize your configuration
fingerprintEncode a one-way fingerprint from a secret, for ignoring content.
githubAudit a github organization, user, or repo
gitlabAudit a gitlab organization, group, user, or repo
historyRun a Spectral git history scan
custom-rulesManage custom rules

Env variables

SPECTRAL_DSN=<DSN>Your private Spectral DSN, which connects to your account
SPECTRAL_SHOW_MATCH=1Show secrets in scan output (off by default)

Common flags

-t, --tokenSupply a token for Github, Gitlab, or others for auditing
-h, --hostSupply a git host (where relevant, e.g.: Gitlab)
-d, --destWhere to put git repos in case of auditing
-k, --kindWhat to audit? e.g.: group, user, org
--enginesEngines to run in the current scan. Options: secrets (default), iac, oss.
--include-tags base,auditInclude additional ML-based detectors for full security coverage (more tags details: spectral info --tags)
--include-tags base,iacTags that are specified for a scan is cross engined*
--include CLD001,CLD002Only scan for specific detectors
--exclude CLD001,CLD002Exclude specific detectors from results, you can combine: --include-tags base --exclude CLD002 to scan for a tag excluding specific detectors
--unstagedScan with pre-commit and pre-receive hooks and send data to spectralops
-f, --fail-on-errorFail with non-zero exit code just on error severity matches

* The specified tags should be relevant for all the selected engines. For example: --engines secrets,iac --include-tags aws will run all aws detectors for both engines. running --engines secrets,iac --include-tags base will only be relevant for the secrets engine, because the iac engine does not include with detectors that are tagged base. you should use --engines secrets,iac --include-tags base,iac in order to run all the base rules of secrets and the base rules of iac)

Help! 🔮

When in doubt, you can always use the --help option for the main binary, or using a sub command, for example $HOME/.spectral/spectral run --help:

spectral --help
Spectral Scan 1.8.37
Spectral Cyber Technologies Inc.

    spectral [FLAGS] [SUBCOMMAND]

    -h, --help         Prints help information
        --nobanners    No help/free text banners. Make it easier to parse output
    -V, --version      Prints version information

    config          Your local SPECTRAL_DSN config
    custom-rules    Manage custom rules
    discover        Discover configuration at a remote provider
    fingerprint     Fingerprint sensitive information for ignores
    github          Run a Spectral scan on a github organization, user, or team. Alias: 'git'.
    gitlab          Run a Spectral scan on a Gitlab organization, user, or team
    help            Prints this message or the help of the given subcommand(s)
    history         Run a Spectral git history scan
    info            Spectral information
    init            Initialize Spectral configuration for a current project. (Must be in the project root)
    local           Run a Spectral audit on local assets
    run             Run a Spectral scan interactively
    scan            Run a Spectral scan in your CI pipeline