Skip to content
Fleet CRA

Your First Scan

This tutorial walks through scanning a project, reading the output, and understanding what the scanner found.

Scan a Project

Section titled “Scan a Project”

Point fleet scan at any codebase:

Terminal window
fleet scan --path ~/projects/my-app --output pretty

Or scan the current directory:

Terminal window
fleet scan --output pretty

Read the Output

Section titled “Read the Output”

The scanner outputs five sections:

1. Project Discovery

Section titled “1. Project Discovery”
Catalog: CRA Default v1.0.0 (401 requirements)
Languages: javascript, python
Source files: 245, Manifests: 2, Lockfiles: 2

The scanner detected the project uses JavaScript and Python, found 245 source files, and identified package.json + requirements.txt manifests with their lockfiles.

2. CBOM Summary

Section titled “2. CBOM Summary”
CBOM: 42 crypto primitives (38 approved, 2 deprecated, 2 prohibited)

The scanner found 42 cryptographic operations in the code. 2 are using prohibited algorithms (likely MD5 or DES) that need remediation.

3. Finding Summary

Section titled “3. Finding Summary”
=== CRA Assessment Results ===


  Findings:     87
    Pass:       32
    Fail:       18
    Review:     37
  • Pass (32): Requirements the scanner confirmed are satisfied
  • Fail (18): Requirements the scanner confirmed are violated
  • Review (37): Requirements that need human or LLM review

4. Failed Requirements

Section titled “4. Failed Requirements”
  Failed requirements:
    CRYPTO-01-R1 — Weak cryptographic algorithm MD5 detected
      src/utils/hash.py:12
    NET-DB-02-R1 — Database credentials hardcoded in source
      config/database.js:8
    VH-ID-01-R1 — No security.txt found

Each failure shows the requirement ID, a description, and the file/line where the issue was found.

5. Scan Metadata

Section titled “5. Scan Metadata”
Scan completed in 3.2s

Generate a JSON Report

Section titled “Generate a JSON Report”

For programmatic analysis:

Terminal window
fleet scan --path . --output json --output-file scan-results.json

The JSON includes the full findings array, evidence records, SBOM, and CBOM.

Generate a Module A Report

Section titled “Generate a Module A Report”
Terminal window
fleet scan --path . --report cra-report.md

This produces a Markdown document suitable for inclusion in your CRA technical documentation, with:

  • Executive summary
  • Security profile and CBOM inventory
  • Non-compliant findings with file locations
  • Compliant requirements table
  • Evidence record summary

What Each Requirement ID Means

Section titled “What Each Requirement ID Means”

Requirement IDs follow the pattern: CATEGORY-RISK-R{number}

PrefixCategoryExamples
CRYPTO-CryptographyCRYPTO-01-R1 (no MD5/SHA1), CRYPTO-02-R1 (no hardcoded keys)
NET-NetworkNET-DB-01-R1 (TLS for DB), NET-API-02-R1 (HTTPS enforcement)
AUTH-AuthenticationAUTH-01-R1 (bcrypt/argon2), AUTH-API-01-R2 (no JWT alg:none)
INPUT-Input handlingINPUT-01-R2 (parameterized queries), INPUT-01-R3 (no shell injection)
LOG-LoggingLOG-PROT-01-R1 (no passwords in logs)
VH-Vulnerability handlingVH-ID-01-R1 (security.txt), VH-DISC-01-R1 (disclosure policy)

Next Steps

Section titled “Next Steps”