Standalone CLI¶
Scan any repository without agent integration. Useful for one-off audits, CI pipelines, or agents without hook support.
Install¶
Scan a Repository¶
cloneguard scan /path/to/repo
cloneguard scan # current directory
cloneguard scan --tier2 # with Ollama fallback (requires ollama)
cloneguard scan --cache # with trust cache for repeated scans
Output Formats¶
cloneguard scan . # human-readable terminal output
cloneguard scan . --json # NDJSON (one line per finding, machine-readable)
cloneguard scan . --sarif out.sarif # SARIF 2.1.0 for GitHub Advanced Security
The --sarif flag writes to a file and still prints human-readable output.
See Audit for the NDJSON event schema.
Exit Codes¶
| Code | Meaning |
|---|---|
| 0 | No findings, or findings below threshold |
| 1 | Error (invalid path, missing dependencies) |
| 2 | Findings at or above threshold severity |
Manage False Positives¶
cloneguard allow README.md --reason "Documents attack patterns"
cloneguard list # show allowlisted files
cloneguard remove README.md # remove from allowlist