Skip to content
Fleet CRA

`fleet scan` — CLI Reference

Usage

Section titled “Usage”
Terminal window
fleet scan [OPTIONS]

Options

Section titled “Options”
FlagDefaultDescription
-p, --path <PATH>.Path to the project to scan
-o, --output <FORMAT>jsonOutput format: json or pretty
--sbomtrueGenerate Software Bill of Materials (CycloneDX 1.6)
--cbomtrueGenerate Cryptographic Bill of Materials
--llm <BACKEND>offLLM backend: off, ollama, claude, openai
--cifalseCI mode: structured JSON logs, machine-readable exit codes
--log-level <LEVEL>infoLog verbosity: trace, debug, info, warn, error
--output-file <PATH>stdoutWrite JSON report to file
--report <PATH>(none)Generate Module A Markdown report
--api-url <URL>(none)Fleet API URL for uploading results
--api-key <KEY>(none)Fleet API key (or set FLEET_API_KEY env var)

Examples

Section titled “Examples”

Basic local scan

Section titled “Basic local scan”
Terminal window
fleet scan --path ./my-project --output pretty

JSON report to file

Section titled “JSON report to file”
Terminal window
fleet scan --path . --output json --output-file scan-results.json

Generate Module A technical documentation

Section titled “Generate Module A technical documentation”
Terminal window
fleet scan --path . --report cra-report.md

Scan with LLM review (local Ollama)

Section titled “Scan with LLM review (local Ollama)”
Terminal window
fleet scan --path . --llm ollama --output pretty

Scan with Claude API

Section titled “Scan with Claude API”
Terminal window
export ANTHROPIC_API_KEY=sk-ant-...
fleet scan --path . --llm claude

CI mode (GitHub Actions / GitLab CI)

Section titled “CI mode (GitHub Actions / GitLab CI)”
Terminal window
fleet scan --path . --ci --output json --output-file results.json --sbom --cbom

Upload results to Fleet platform

Section titled “Upload results to Fleet platform”
Terminal window
fleet scan --path . --ci \
  --api-url https://fleet.example.com \
  --api-key $FLEET_API_KEY

Quiet scan (errors only)

Section titled “Quiet scan (errors only)”
Terminal window
fleet scan --path . --log-level error --output json

Output Format (JSON)

Section titled “Output Format (JSON)”
{
  "scan": {
    "path": ".",
    "timestamp": "2026-04-03T12:00:00Z",
    "duration_ms": 5000,
    "commit_sha": "abc12345",
    "ci_provider": "github",
    "llm_backend": "claude",
    "llm_model": "claude-sonnet-4-6"
  },
  "catalog": {
    "version": "1.0.0",
    "requirements": 401
  },
  "project": {
    "languages": ["rust", "javascript"],
    "source_files": 93,
    "manifest_files": 4,
    "lockfiles": 4
  },
  "summary": {
    "total": 152,
    "pass": 55,
    "fail": 40,
    "needs_review": 57,
    "llm_reviewed": 0
  },
  "findings": [...],
  "evidence": [...],
  "sbom": { "bomFormat": "CycloneDX", ... },
  "cbom": { "bomFormat": "CycloneDX", ... },
  "cbom_summary": {
    "total": 314,
    "approved": 301,
    "deprecated": 6,
    "prohibited": 7,
    "by_category": { "hash": 120, "symmetric-cipher": 45, ... }
  }
}

Exit Codes

Section titled “Exit Codes”
CodeMeaning
0All requirements pass (or not in CI mode)
1Failing findings detected (CI mode only)
2Scanner error

CI Mode (--ci)

Section titled “CI Mode (--ci)”

When --ci is set:

  • Logs are structured JSON written to stderr
  • Progress messages are suppressed
  • Exit code 1 if any findings have fail status
  • CI provider auto-detected from environment variables:
    • GITHUB_ACTIONS -> github
    • GITLAB_CI -> gitlab
    • JENKINS_URL -> jenkins
    • BITBUCKET_PIPELINE_UUID -> bitbucket
    • BUILD_BUILDID -> azure-devops
    • CIRCLECI -> circleci
    • DRONE -> drone
    • CI_WOODPECKER -> woodpecker

Environment Variables

Section titled “Environment Variables”
VariablePurpose
FLEET_API_URLFleet API URL (alternative to --api-url)
FLEET_API_KEYFleet API key (alternative to --api-key)
ANTHROPIC_API_KEYClaude API key (when --llm claude)
OPENAI_API_KEYOpenAI API key (when --llm openai)
FLEET_LLM_OLLAMA_URLOllama URL (default: http://localhost:11434)
FLEET_LLM_OLLAMA_MODELOllama model (default: llama3.1:8b)
FLEET_LLM_CLAUDE_MODELClaude model (default: claude-sonnet-4-6)
FLEET_LLM_OPENAI_BASE_URLOpenAI-compatible base URL
FLEET_LLM_OPENAI_MODELOpenAI model (default: gpt-4o)

What Gets Scanned

Section titled “What Gets Scanned”

The scanner discovers and analyzes:

  • Source files: .rs, .ts, .tsx, .js, .py, .go, .java, .kt, .rb, .php, .cs, .c, .cpp, .swift
  • Config files: .yml, .yaml, .toml, .json, .conf, .env, Dockerfile
  • Package manifests: Cargo.toml, package.json, pyproject.toml, go.mod, pom.xml, Gemfile, composer.json
  • Lockfiles: Cargo.lock, package-lock.json, yarn.lock, poetry.lock, go.sum, Gemfile.lock, composer.lock, packages.lock.json, Pipfile.lock
  • CI configs: .github/workflows/, .gitlab-ci.yml, Jenkinsfile, bitbucket-pipelines.yml
  • Security files: SECURITY.md, .well-known/security.txt

Skipped directories: node_modules, .git, target, __pycache__, .venv, dist, build, .next