CLI
Spectral is a CLI (Command Line Interface) driven toolchain.
If you have to remember just one thing
For testing and playing around interactively:
$HOME/.spectral/spectral run
And in your CI:
$HOME/.spectral/spectral scan
š¦øāāļø Command line driven? Our thesis is that people can get value the fastest, by wielding Spectral as a tool. We try hard to make that true for Windows users as well with PowerShell.
Commands
| Command | Description |
|---|---|
Run | Run a scan interactively, for exploring or auditing |
scan | Run a scan from your CI/pipeline |
init | Initialize configuration in your repo. This is how you customize ignores, detectors, and more. Once your run the init command a hidden .spectral folder will be created & you can customize your configuration |
fingerprint | Encode a one-way fingerprint from a secret, for ignoring content. |
github | Audit a github organization, user, or repo |
gitlab | Audit a gitlab organization, group, user, or repo |
history | Run a Spectral git history scan |
custom-rules | Manage custom rules |
Env variables
| Variable | Description |
|---|---|
SPECTRAL_DSN=<DSN> | Your private Spectral DSN, which connects to your account |
SPECTRAL_SHOW_MATCH=1 | Show secrets in scan output (off by default) |
Common flags
| Flag | Description |
|---|---|
-t, --token | Supply a token for Github, Gitlab, or others for auditing |
-h, --host | Supply a git host (where relevant, e.g.: Gitlab) |
-d, --dest | Where to put git repos in case of auditing |
-k, --kind | What to audit? e.g.: group, user, org |
--engines | Engines to run in the current scan. Options: secrets (default), iac, oss. |
--include-tags base,audit | Include additional ML-based detectors for full security coverage (more tags details: spectral info --tags) |
--include-tags base,iac | Tags that are specified for a scan are cross-engined* |
--include CLD001,CLD002 | Only scan for specific detectors |
--exclude CLD001,CLD002 | Exclude specific detectors from results. You can combine: --include-tags base --exclude CLD002 to scan for a tag excluding specific detectors |
--unstaged | Scan with pre-commit and pre-receive hooks and send data to spectralops |
-f, --fail-on-error | Fail with non-zero exit code just on high & critical severity matches |
--fail-on-critical | Fail with non-zero exit code just on critical severity matches |
--validate | Test the validation of found keys, relevant for the secrets engine |
* The specified tags should be relevant for all the selected engines. For example: --engines secrets,iac --include-tags aws will run all aws detectors for both engines. running --engines secrets,iac --include-tags base will only be relevant for the secrets engine, because the iac engine does not include with detectors that are tagged base. you should use --engines secrets,iac --include-tags base,iac in order to run all the base rules of secrets and the base rules of iac)
Help! š®
When in doubt, you can always use the --help option for the main binary, or using a sub command, for example $HOME/.spectral/spectral run --help:
spectral --help
Spectral Scan 1.8.37
Spectral Cyber Technologies Inc.
USAGE:
spectral [FLAGS] [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
--nobanners No help/free text banners. Make it easier to parse output
-V, --version Prints version information
SUBCOMMANDS:
config Your local SPECTRAL_DSN config
custom-rules Manage custom rules
discover Discover configuration at a remote provider
fingerprint Fingerprint sensitive information for ignores
github Run a Spectral scan on a github organization, user, or team. Alias: 'git'.
gitlab Run a Spectral scan on a Gitlab organization, user, or team
help Prints this message or the help of the given subcommand(s)
history Run a Spectral git history scan
info Spectral information
init Initialize Spectral configuration for a current project. (Must be in the project root)
local Run a Spectral audit on local assets
run Run a Spectral scan interactively
scan Run a Spectral scan in your CI pipeline
version
Updated about 1 month ago