Radar CLI is a command-line tool that orchestrates multiple application security scanners — for code, dependencies, containers, and secrets — in one unified package. We've put a lot of effort into making Radar CLI easy to use for developers and easy to integrate into CI/CD pipelines. Check out our accompanying GitHub Action for Radar CLI.
With Radar CLI, you can:
- Run SAST, SCA, container, and secret scanning locally or in CI/CD pipelines.
- Generate unified SARIF reports compatible with industry-standard security and vulnerability analysis tools.
- Optionally upload results to Eureka ASPM for centralized tracking, deduplication, and prioritization.
Telemetry is off by default — nothing is uploaded unless you explicitly enable it.
- Node.js 22.17.0 or higher
- Docker (for containerized scanners)
Install globally using npm:
npm i -g @eurekadevsecops/radarVerify the installation:
radar --versionRun the CLI to view available commands:
radarExample output:
COMMANDS
help display help
scan scan for vulnerabilities
scanners display available scanners
You can view help for any command:
radar help scanTo scan the current working directory:
radar scanYou can also specify scanners to use:
radar scan -s opengrep,gitleaks,grypeOutput a SARIF report:
radar scan -s opengrep,gitleaks,grype -o report.sarifAll scanners in Radar are fully containerized for consistency and isolation. When you run a scan, Radar CLI automatically launches the corresponding scanner inside a Docker container. This ensures clean, reproducible results without needing to install each scanner locally. A working Docker Engine is required to run Radar scanners, and the container images for all supported scanners are publicly available on the GitHub Container Registry.
| By Scanner | Categories | Description |
|---|---|---|
| Dep-Scan | SCA | OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization. |
| Gitleaks | Secrets | Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens. |
| Grype | SCA, Container | Scans the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for language-specific packages and major operating system packages. Supports Docker, OCI and Singularity image formats. |
| Opengrep | SAST | Opengrep is an ultra-fast static code analysis engine to find security issues in code. Opengrep supports 30+ languages. |
| Veracode SCA | SCA | Effectively identify open-source risks with unmatched precision, ensuring secure and compliant code. Leverages a proprietary database to accurately and promptly detect new vulnerabilities. |
Scanners grouped by category:
| By Category | Description | Scanners |
|---|---|---|
| SAST | Detects insecure code patterns | Opengrep |
| Secrets | Finds hardcoded credentials | Gitleaks |
| SCA | Detects vulnerable package dependencies | Veracode SCA, Grype, Dep-Scan |
| Container | Scans Docker, OCI, and Singularity image formats | Grype |
Veracode SCA (formerly SourceClear) scanner requires the SRCCLR_API_TOKEN environment variable. If not present or valid, scanning with Veracode SCA will not work. Read more about it in Veracode SCA online documentation.
USAGE
radar scan [OPTIONS] [TARGET]Scans your source code and dependencies for vulnerabilities. If no target is specified, the current working directory is scanned.
OPTIONS
| Option | Description |
|---|---|
-c, --categories |
List of scanner categories (e.g. sast, sca, secrets). |
-s, --scanners |
Comma-separated list of scanners to run. Use radar scanners to list available ones. |
-o, --output |
Output findings into a SARIF file. |
-d, --debug |
Log detailed debug info to stdout. |
-q, --quiet |
Suppress stdout logging (except errors). |
-f, --format |
Output format for severity display: security (high/moderate/low) or sarif (error/warning/note). |
-e, --escalate |
Treat specified lower severities as high (e.g. --escalate=moderate,low). |
-l, --local |
Run a local scan (don't upload scan findings to Eureka). |
PARAMETERS
| Parameter | Description |
|---|---|
TARGET |
(Optional) Path to scan. Defaults to current directory. |
--categorieslets you run all scanners in one or more categories. Example:--categories=sca,sast--scannerslets you choose specific scanners by name. Example:--scanners=opengrep,depscan- Both can be combined — Radar CLI will run scanners that match both filters.
| Format | Example Severities |
|---|---|
security |
high / moderate / low |
sarif |
error / warning / note |
You can also escalate severities:
# Treat moderates and lows as highs
radar scan -e moderate,lowOr:
# Treat warnings and notes as errors
radar scan -f sarif -e warning,noteAn exit code of 0 means the scan passed with no issues. Any other code means the scan failed — either due to new vulnerabilities found or an error during the scanning process.
| Code | Meaning |
|---|---|
0 |
Clean and successful scan. |
1 |
Invalid command, arguments, or options. |
8–15 |
New vulnerabilities found. |
>=16 |
Aborted due to unexpected error. |
Scan current directory:
radar scanScan a specific path:
radar scan /my/repo/dirSave findings into a SARIF file:
radar scan -o report.sarifRun only dependency and code scanners:
radar scan -c sca,sastRun specific scanners:
radar scan -s depscan,opengrepEnable debug logs:
radar scan --debugQuiet mode (errors only):
radar scan --quietDisplay findings in SARIF-style severities:
radar scan -f sarifTreat moderates and lows as highs:
radar scan -e moderate,lowRuns entirely on your machine — by default, Radar CLI doesn’t upload any findings. Your vulnerabilities stay local and private.
radar scan -s opengrep,gitleaks,grype -o report.sarifSee all findings in one place with deduplication, trend tracking, and risk prioritization. To upload results to Eureka ASPM, provide your API credentials through the EUREKA_AGENT_TOKEN environment variable. When set, Radar CLI automatically uploads results after each scan — letting you view your full scan history and all findings in the Eureka ASPM Dashboard.
export EUREKA_AGENT_TOKEN=<your token>
radar scan -s opengrep,gitleaks,grypeNOTE: To prevent Radar CLI from uploading scan findings even when you have EUREKA_AGENT_TOKEN set, you can pass the -l/--local option on the command line.
Eureka ASPM extends Radar CLI with powerful visibility and collaboration features:
- Single Source of Truth: Aggregate findings from all scanners and repos in one place.
- Less Noise, More Signal: Automatically de-duplicate findings and prioritize risks contextually.
- Faster Fixes: See ownership, severity, and remediation guidance for each issue.
- Track Progress: View how your project’s security posture improves over time.
- Free for Open Source: Open source projects get full access at no cost.
Sign up for a free account at eurekadevsecops.com
Telemetry is off by default. Radar does not send any data externally unless you explicitly provide:
EUREKA_AGENT_TOKEN
When provided:
- Findings are securely uploaded to Eureka ASPM
- You gain dashboards, trend analysis, and contextual prioritization
When omitted:
- Scans remain fully local
| Issue | Cause | Solution |
|---|---|---|
❌ report.sarif not found |
Scan failed or invalid scanner list | Check scanner names and ensure Docker is running |
| Missing or invalid token | Set EUREKA_AGENT_TOKEN |
|
🧱 radar: command not found |
CLI not installed globally | Run npm i -g @eurekadevsecops/radar again |
Contributions are welcome! See our CONTRIBUTING.md for setup and development guidelines.
Radar CLI is licensed under the terms of the GPL v3 License — © Eureka DevSecOps Inc.
- Issues & feature requests: GitHub Issues
- Security: [email protected]