scanr-cli is the executable crate that exposes the scanr command.
scanr-cli: install and runscanras an end user.scanr-sca: embed Scanr SCA scanning in your Rust app.scanr-engine: build custom engines on Scanr contracts (ScanEngine,Finding,ScanResult).
Published crates:
https://crates.io/crates/scanr-clihttps://crates.io/crates/scanr-scahttps://crates.io/crates/scanr-engine
CLI install:
cargo install scanr-cli --lockedscanr
scanr scan <path> [options]
scanr baseline save [path]
scanr baseline status [path]
scanr trace <package> [path]
scanr sbom generate [path] [-o <file>]
scanr sbom diff <old.json> <new.json>Starts the full-screen interactive TUI.
Runs dependency parsing, OSV vulnerability investigation, risk summary, and upgrade suggestions. Also evaluates license compliance and prints license summary/violations.
Flags:
-c, --ci: enable CI policy enforcement--json: print canonicalScanResultJSON only--sarif: print SARIF v2.1.0 only--list-deps: print parsed dependency list before vulnerability summary--raw-json: print extended raw payload after human-readable output--raw-json-out <FILE>: write extended raw payload to file--baseline: compare current findings to.scanr/baseline.json--offline: use only local cache and skip OSV HTTP calls--refresh: ignore TTL and force fresh OSV fetch-r, --recursive: accepted CLI flag (reserved for recursive manifest discovery)
Mutual exclusions:
--jsonand--sarifcannot be used together--cicannot be combined with--jsonor--sarif--offlineand--refreshcannot be used together
Generates a CycloneDX JSON SBOM.
scanr sbom generate
scanr sbom generate . -o my.sbom.cdx.jsonCompares two CycloneDX JSON SBOM files and prints:
- added dependencies
- removed dependencies
- version changes
- introduced dependency vulnerability delta
scanr sbom diff old.cdx.json new.cdx.jsonRuns a full scan and writes a deterministic vulnerability snapshot to:
.scanr/baseline.json
scanr baseline save
scanr baseline save .Loads .scanr/baseline.json, runs current scan, and prints:
- baseline vulnerability count
- current vulnerability count
- new vulnerabilities (
current - baseline) - fixed vulnerabilities (
baseline - current) - security debt/risk delta summary
scanr baseline status
scanr baseline status .Traces root-to-target dependency paths for Node projects using package-lock.json.
scanr trace minimatch
scanr trace minimatch .Behavior:
- Builds a temporary in-memory graph only for trace command execution
- Finds matching package versions by name
- Prints one or more root-to-target paths
- Prints vulnerability context (severity/CVE/fix) when available
Current scope:
- Supported: Node lockfile tracing
- Not supported: Python and non-lockfile graph sources
Command:
scanr scan .Sample output:
Scanr Security Scan
Target: my-project
Path: F:\my-project
Dependencies analyzed: 120
Vulnerabilities found: 2
# CVE SEV SCORE AFFECTED PACKAGE FIX
---------------------------------------------------------------------------------
1 CVE-2026-0001 high 3.1 1.2.3 package-a 1.2.5
2 CVE-2026-0002 medium 4.0 4.5.0 package-b 4.5.7
Upgrade recommendations: 2
# PACKAGE ECO CURRENT SUGGESTED STATUS
-----------------------------------------------------------------------
1 package-a node 1.2.3 1.2.5 safe
2 package-b python 4.5.0 5.0.1 safe (major upgrade)
Risk Summary
critical: 0 | high: 1 | medium: 1 | low: 0 | unknown: 0
risk level: HIGH
License Compliance
Violations: 1
- legacy-lib@1.0.0 uses GPL-3.0 (License is blocked)
Result: WARN (non-blocking)
License Summary:
Apache-2.0: 50
MIT: 69
GPL-3.0: 1
In CI mode (--ci), license violations can fail the build when
[license].enforce_in_ci = true in scanr.toml.
scanr --help
scanr --version