Get started with GuardScan in under 2 minutes!
GuardScan is a privacy-first, open-source security scanning and AI code review CLI. All static analysis features work 100% free and offline - no API keys required!
# Install GuardScan globally
npm install -g guardscan
# Verify installation
guardscan --versionRequirements:
- Node.js >= 18.0.0
- npm or yarn
guardscan initThis creates a local configuration file and generates a client ID for optional telemetry.
# Scan your current project (100% FREE, works offline)
guardscan securityThis will:
- ✅ Detect secrets in your code (API keys, passwords, tokens)
- ✅ Scan dependencies for known vulnerabilities
- ✅ Check Dockerfiles for security issues
- ✅ Analyze Infrastructure as Code (Terraform, CloudFormation, K8s)
- ✅ Detect OWASP Top 10 vulnerabilities
- ✅ Generate a comprehensive markdown report
No API key needed - all security scanning works completely offline!
For AI-powered features like code review, documentation generation, and refactoring:
guardscan configFollow the prompts to set:
- AI provider (OpenAI, Anthropic Claude, Google Gemini, or Ollama for local AI)
- API key (your own key - we never see it)
- Telemetry preference
Note: AI features are optional. All security scanning works without any API keys!
GuardScan provides 21 commands organized by category:
guardscan init # Initialize GuardScan (generates client_id for telemetry)
guardscan config # Configure AI provider and settings (OpenAI, Claude, Gemini, Ollama)
guardscan status # Show current status (credits, provider, repo info)
guardscan reset # Clear local cache and configguardscan security # Security vulnerability scanning
guardscan scan # Comprehensive scan (all security and quality checks)
guardscan test # Run tests and code quality analysis
guardscan sbom # Generate Software Bill of Materials (SBOM)
guardscan rules # Run custom YAML-based rules engineguardscan perf # Performance testing (load, stress, Lighthouse)
guardscan mutation # Mutation testing to assess test qualityguardscan run # AI-enhanced code review
guardscan review # AI-powered code review for git changesguardscan commit # Generate AI-powered commit messages
guardscan explain <target> # Explain code using AI (function, class, file)
guardscan test-gen # Generate tests using AI
guardscan docs # Generate documentation using AIguardscan refactor # AI-powered refactoring suggestions
guardscan threat-model # AI-powered threat modeling with STRIDE analysis
guardscan migrate # AI-powered code migration assistantguardscan chat # Interactive AI chat about your codebase (RAG feature)# Run comprehensive security scan
guardscan security
# Check for dependency vulnerabilities
guardscan security --licenses
# Generate SBOM for compliance
guardscan sbom --format spdx# Review all changes in your git repository
guardscan review
# Review specific file
guardscan review --file src/api.ts
# Get AI suggestions for security issues
guardscan security --ai-fix# Run all quality checks
guardscan test --all
# Performance testing
guardscan perf --load --duration 1m
# Mutation testing
guardscan mutation --threshold 80# Explain a function
guardscan explain getUserData --type function
# Generate tests
guardscan test-gen --function calculateTotal
# Generate documentation
guardscan docs --type api
# Interactive chat about your codebase
guardscan chat- ✅ Scans your code locally on your machine
- ✅ Never uploads source code to any server
- ✅ Works completely offline for static analysis
- ✅ Uses your own AI API keys (BYOK - Bring Your Own Key)
- Client ID (anonymous identifier)
- Repository ID (hashed, anonymous)
- Lines of code count
- Command usage statistics
You can disable telemetry:
guardscan --no-telemetry securityStatic Analysis (Works completely offline, 100% FREE):
- Secrets detection (20+ patterns)
- Dependency vulnerability scanning
- Code metrics and complexity analysis
- LOC counting (20+ languages)
- OWASP Top 10 detection
- Docker security scanning
- Infrastructure as Code analysis
AI-Enhanced (Optional, requires your API key):
- OpenAI GPT-4, GPT-3.5
- Anthropic Claude (Opus, Sonnet, Haiku)
- Google Gemini
- Ollama (local/offline AI)
- LM Studio (local AI)
# Check if GuardScan is installed
npm list -g guardscan
# If not installed, install it
npm install -g guardscan
# Verify it's in your PATH
which guardscan# Use sudo if needed (not recommended)
sudo npm install -g guardscan
# Better: Fix npm permissions
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
export PATH=~/.npm-global/bin:$PATH
npm install -g guardscan# Check your configuration
guardscan status
# Reconfigure AI provider
guardscan config
# Verify API key is set correctly
guardscan config --show# Reset all local data
guardscan reset --all
# Re-initialize
guardscan init- README.md - Complete project overview
- CLI README - Detailed CLI documentation
- Getting Started - Extended getting started guide
- Docker Guide - Running GuardScan in Docker
- Language Support - Supported languages and parsers
- GitHub Issues: https://github.com/ntanwir10/GuardScan/issues
- Documentation: Check the
docs/directory - Examples: See
examples/directory (if available)
- ✅ Install:
npm install -g guardscan - ✅ Initialize:
guardscan init - ✅ Scan:
guardscan security(works offline, 100% free!) - ✅ Configure AI (optional):
guardscan config - ✅ Explore: Try
guardscan --helpto see all commands
That's it! You're ready to start scanning your code for security issues.