firmis init - Set Up Firmis in Your Project

You just heard about Firmis and you want to know if your AI stack is safe. firmis init answers that question in under 30 seconds - no config, no docs, no signup.

Synopsis

firmis init [path]

If [path] is omitted, Firmis initializes in the current directory.

Description

firmis init is the fastest path from zero to your first security result. It detects every AI platform in your project, runs a full scan against all 324 detection rules across 21 threat categories, writes a .firmisrc.json config file, and shows you what to do next based on what was found.

If .firmisrc.json already exists, init uses the existing file rather than overwriting it, so it is safe to re-run.

After firmis init, your workflow continues with firmis scan for deeper analysis, firmis fix to apply remediations, and firmis ci to add a security gate to your pipeline.

What it does

Detects your AI tools - auto-discovers Claude Skills, MCP Servers, Cursor Rules, and more platforms
Runs a security scan - all detection rules across threat categories
Shows your results - finding counts by bucket (confirmed, hardening, unverified)
Generates .firmisrc.json - config file with your detected platforms and sensible defaults
Captures MCP server baselines - records the current state of your MCP servers for drift detection
Offers to install security hooks - optional pre-commit hooks that scan before each commit
Generates HTML report - auto-generates firmis-report.html and opens it in your browser
Syncs to cloud - if you are logged in, results are synced to your workspace
Shows next steps - what to do based on your results, free and pro

Examples

Initialize in the current directory

npx firmis-cli init

Initialize in a specific project directory

npx firmis-cli init ./my-agent-project

Re-run after deleting config to reset detected platforms

rm .firmisrc.json
npx firmis-cli init

Example output

  Firmis Scanner

  Detecting AI tools...

  ✓ Claude Skills: 5 components
  ✓ MCP Servers: 3 components
  ✓ Cursor Extensions: 2 components

  Scanning...

  12 findings
  3 known vulnerabilities  5 fixable  4 findings

  ✓ Config written to .firmisrc.json

  12 patterns need verification
    firmis login  to get 50 AI credits/month
    Then run firmis scan --deep to verify patterns

  Scan complete. Run firmis scan --html for the full report.
  Next: firmis fix .

Generated config

firmis init writes a .firmisrc.json in your project root:

{
  "platforms": ["claude", "mcp", "cursor"],
  "severity": "low",
  "failOn": "high",
  "exclude": ["node_modules", ".git", "dist", "build"]
}

This file is picked up automatically by firmis scan and firmis ci on subsequent runs.

Re-running init

If .firmisrc.json already exists, firmis init prints a note and uses the existing config rather than overwriting it. The scan and summary still run.

Delete the file first if you want to regenerate the config from scratch based on re-detected platforms.

Options

firmis init takes no flags beyond the optional path argument. Configuration happens in .firmisrc.json after the first run.

Exit codes

Code	Meaning
`0`	Init completed. Config written (or existing config used).
`1`	No platforms detected, or scan error.

What to do next

After running firmis init, your most useful next steps depend on what was found:

Situation	Next command	Why
You want to see the full report	`firmis scan --html`	Interactive HTML with evidence and remediation
You want CI protection	`firmis ci`	Fails builds on high/critical threats
You want a README badge	`firmis badge`	Shows your security grade publicly
You want to fix threats	`firmis fix`	Auto-remediates fixable findings
You want runtime monitoring	`firmis monitor --install`	Watches tool calls in real-time