Guide Docs API keys Start 14-day Pro trial

CVERiskPilotAPI Docs

Developer Guide API Reference Resources Release Notes

Docs

CLI Reference

CLI

CLI reference

crp-scan / cveriskpilot-scan

Complete reference for @cveriskpilot/scan. The CLI scans dependencies, secrets, and IaC, then maps findings to NIST 800-53, SOC 2, CMMC, FedRAMP, ASVS, and SSDF controls.

Installation

Install globally, run with npx, or clone from GitHub.

npm (global install)

npm install -g @cveriskpilot/scan

npx (no install required)

npx @cveriskpilot/scan@latest --preset startup

GitHub (clone and link)

git clone https://github.com/devbrewster/cveriskpilot-scan.git
cd cveriskpilot-scan
npm link

Quick Start

Common commands to get started quickly. Both crp-scan and cveriskpilot-scan are valid binary names.

Scan current directory with startup preset

crp-scan --preset startup

Full scan with all six frameworks

crp-scan --preset all --verbose

Dependencies only, fail on CRITICAL in CI

crp-scan --deps-only --ci --fail-on CRITICAL

Secrets scan with JSON output

crp-scan --secrets-only --format json

Defense preset, exclude test files, SARIF output

crp-scan --preset defense --exclude "**/test/**" --format sarif

Save results to file (all formats output to stdout)

# JSON — full findings + compliance impact
crp-scan --format json > scan-results.json

# SARIF — upload to GitHub Code Scanning
crp-scan --format sarif > results.sarif

# Markdown — paste into PR comments or wiki
crp-scan --format markdown > compliance-report.md

# Pipe JSON to jq for quick queries
crp-scan --format json | jq '.complianceImpact.frameworkSummary'

Upload results to CVERiskPilot platform

crp-scan --preset enterprise --api-key $CRP_API_KEY

CLI Flags

All available flags organized by category.

Scanner Control

Flag	Description
`--deps-only`	Run dependency (SBOM) scan only. Skips secrets and IaC checks.
`--secrets-only`	Run secrets scan only. Detects API keys, tokens, and credentials using 30+ regex patterns and entropy detection.
`--iac-only`	Run Infrastructure as Code scan only. Checks Terraform, Dockerfile, Kubernetes YAML, and CloudFormation.

Framework Selection

Flag	Description
`--frameworks <list>`	Comma-separated list of frameworks to map findings against. Options: nist, soc2, cmmc, fedramp, asvs, ssdf.
`--preset <name>`	Load a predefined set of frameworks. See framework presets table below.
`--list-frameworks`	Print all available frameworks and presets, then exit.

Filtering

Flag	Description
`--severity <level>`	Minimum severity threshold. Options: LOW, MEDIUM, HIGH, CRITICAL. Findings below this level are excluded from output.
`--exclude <glob>`	Exclude file paths matching the glob pattern. Repeatable (e.g., --exclude node_modules --exclude dist).
`--exclude-cwe <list>`	Comma-separated list of CWE IDs to exclude from results (e.g., --exclude-cwe CWE-79,CWE-89).

Output

Flag	Description
`--format <type>`	Output format. Options: table (default), json, sarif, markdown.
`--fail-on <level>`	Exit with code 1 if any finding meets or exceeds this severity. Options: LOW, MEDIUM, HIGH, CRITICAL.
`--ci`	CI mode. Non-interactive output, no color, deterministic exit codes. Recommended for automated pipelines.
`--verbose`	Enable verbose output. Shows detailed scan progress, file-by-file results, and timing information.

Upload

Flag	Description
`--api-key <key>`	CVERiskPilot API key for uploading results to the platform. Can also be set via CRP_API_KEY environment variable.
`--api-url <url>`	API endpoint URL. Defaults to https://api.cveriskpilot.com. Override for self-hosted or staging environments.
`--no-upload`	Skip uploading results to CVERiskPilot. Scan results are printed locally only.

Framework Presets

Presets bundle multiple frameworks into a single --preset flag. Use --list-frameworks to see all available options.

Preset	Frameworks	Use Case
`federal`	NIST 800-53, FedRAMP, SSDF	Federal agencies and contractors subject to FISMA and FedRAMP requirements.
`defense`	NIST 800-53, CMMC, SSDF	Defense Industrial Base (DIB) contractors pursuing CMMC certification.
`enterprise`	NIST 800-53, SOC 2, ASVS, SSDF	Enterprise organizations with SOC 2 audit requirements and secure development practices.
`startup`	SOC 2, ASVS	Startups and SaaS companies building toward SOC 2 compliance.
`devsecops`	ASVS, SSDF	Development teams focused on secure coding standards and software supply chain security.
`all`	NIST 800-53, SOC 2, CMMC, FedRAMP, ASVS, SSDF	Map findings against all six supported frameworks.

Output Formats

Set the output format with --format <type>. The default is table.

Format	Description
`table`	Color-coded severity badges with per-finding compliance control mapping (e.g., SOC 2 Type II:CC6.1, OWASP ASVS:V1.2). Adapts to terminal width — no information gets cut off.
`json`	Structured JSON with full finding details (CWE/CVE IDs), severity summary, verdict breakdown, and complete compliance impact per framework. Pipe to jq or save with > scan-results.json.
`sarif`	SARIF 2.1.0 for GitHub Code Scanning, GitLab SAST, and Azure DevOps. Save with > results.sarif.
`markdown`	Markdown tables with findings, compliance impact, and summary. Save with > compliance-report.md for PR comments or wiki pages.

Exit Codes

Use exit codes to gate CI/CD pipelines. Combine with --fail-on and --ci for deterministic behavior.

Code	Status	Description
`0`	PASS	Scan completed successfully. No findings met the --fail-on threshold (or no threshold was set).
`1`	FAIL	Scan completed but one or more findings met or exceeded the --fail-on severity threshold.
`2`	ERROR	Scan could not complete due to an error (invalid arguments, missing files, runtime failure).

How Compliance Mapping Works

Every finding follows a deterministic mapping chain from vulnerability to compliance control. The scanner maintains 80+ CWE entries that map to 135 total controls across all six frameworks.

FindingCWENIST 800-53SOC 2 / CMMC / FedRAMP / ASVS / SSDF

For example, a hardcoded API key (CWE-798) maps to NIST 800-53 control IA-5 (Authenticator Management), which then maps to SOC 2 CC6.1, CMMC IA.L2-3.5.10, and corresponding FedRAMP, ASVS, and SSDF controls. This chain is fully offline and deterministic — no network calls required.

Finding	CWE	NIST 800-53	SOC 2	CMMC
Known Vulnerable Dependency	CWE-1395	SI-2, RA-5	CC7.1	SI.L2-3.14.1
Hardcoded API Key	CWE-798	IA-5	CC6.1	IA.L2-3.5.10
SQL Injection	CWE-89	SI-10	CC6.1	SI.L2-3.14.2
Insecure Dockerfile (root user)	CWE-250	AC-6, CM-7	CC6.3	AC.L2-3.1.5

Dependencies (SBOM)

Supported lockfiles: package-lock.json, yarn.lock, requirements.txt, Cargo.lock, go.sum

Secrets Detection

30+ regex patterns plus entropy detection for API keys, tokens, passwords, and credentials

Infrastructure as Code

Terraform, Dockerfile, Kubernetes YAML, and CloudFormation template scanning

Next Steps

Pipeline Setup Guide

Step-by-step guide to integrate crp-scan into your CI/CD pipeline.

Open page

GitHub Action

Wire the scanner into GitHub workflows with the hosted action path.