Overview
Radar CLI is a command-line tool that orchestrates multiple application security scanners — for code, dependencies, containers, and secrets — in one unified package. We've put a lot of effort into making Radar CLI easy to use for developers and easy to integrate into CI/CD pipelines. Check out our accompanying GitHub Action for Radar CLI.
With Radar CLI, you can:
- Run SAST, SCA, container, and secret scanning locally or in CI/CD pipelines.
- Generate unified SARIF reports compatible with industry-standard security and vulnerability analysis tools.
- Optionally upload results to Eureka ASPM for centralized tracking, deduplication, and prioritization.
Requirements
- Node.js 22.17.0 or higher
- Docker (for containerized scanners)
Installation
Install globally using npm:
npm i -g @eurekadevsecops/radar
Verify the installation:
radar
Getting Started
Run the CLI to view available commands:
radar
Example output:
COMMANDS
help display help
import import vulnerabilities
scan scan for vulnerabilities
scanners display available scanners
You can view help for any command:
radar help scan
Running a Scan
To scan the current working directory:
radar scan
You can also specify scanners to use:
radar scan -s opengrep,gitleaks,grype
Output a SARIF report:
radar scan -s opengrep,gitleaks,grype -o report.sarif
Supported Scanners
All scanners in Radar are fully containerized for consistency and isolation. When you run a scan, Radar CLI automatically launches the corresponding scanner inside a Docker container. This ensures clean, reproducible results without needing to install each scanner locally. A working Docker Engine is required to run Radar scanners, and the container images for all supported scanners are publicly available on the GitHub Container Registry.
| By Scanner | Categories | Description |
|---|---|---|
| Dep-Scan | SCA | OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization. |
| Gitleaks | Secrets | Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens. |
| Grype | SCA, Container | Scans the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for language-specific packages and major operating system packages. Supports Docker, OCI and Singularity image formats. |
| Opengrep | SAST | Opengrep is an ultra-fast static code analysis engine to find security issues in code. Opengrep supports 30+ languages. |
| Semgrep | SAST | Semgrep is an ultra-fast static code analysis engine to find security issues in code. Semgrep supports 30+ languages. |
| Veracode SAST | SAST | Accurately identify and prioritize security flaws. |
| Veracode SCA | SCA | Effectively identify open-source risks with unmatched precision, ensuring secure and compliant code. Leverages a proprietary database to accurately and promptly detect new vulnerabilities. |
Scanners grouped by category:
| By Category | Description | Scanners |
|---|---|---|
| SAST | Detects insecure code patterns | Opengrep, Semgrep, Veracode SAST |
| Secrets | Finds hardcoded credentials | Gitleaks |
| SCA | Detects vulnerable package dependencies | Veracode SCA, Grype, Dep-Scan |
| Container | Scans Docker, OCI, and Singularity image formats | Grype |
Veracode SCA (formerly SourceClear) scanner requires the SRCCLR_API_TOKEN environment variable. If not present or valid, scanning with Veracode SCA will not work. Read more about it in Veracode SCA online documentation.
Veracode SAST scanner requires the VERACODE_API_KEY_ID and VERACODE_API_KEY_SECRET environment variables. If not present or valid, scanning with Veracode SAST will not work. Read more about it in Veracode SAST online documentation.
Semgrep scanner optionally needs the SEMGREP_APP_TOKEN environment variable. If not present or valid, the Semgrep scanner will attempt to run in license-free mode. Read more about it in Semgrep online documentation
More on the radar scan command
USAGE
radar scan [OPTIONS] [TARGET]
Scans your source code and dependencies for vulnerabilities. If no target is specified, the current working directory is scanned.
OPTIONS
| Option | Description |
|---|---|
-c, --categories |
List of scanner categories (e.g. sast, sca, secrets). |
-s, --scanners |
Comma-separated list of scanners to run. Use radar scanners to list available ones. |
-o, --output |
Output findings into a SARIF file. |
-d, --debug |
Log detailed debug info to stdout. |
-q, --quiet |
Suppress stdout logging (except errors). |
-f, --format |
Output format for severity display: security (high/moderate/low) or sarif (error/warning/note). |
-e, --escalate |
Treat specified lower severities as high (e.g. --escalate=moderate,low). |
-l, --local |
Run a local scan (don't upload scan findings to Eureka). |
--disable-analytics |
Disable analytics for this command run. |
--skip-sbom |
Skip SBOM generation. |
PARAMETERS
| Parameter | Description |
|---|---|
TARGET |
(Optional) Path to scan. Defaults to current directory. |
Category and Scanner Selection
--categorieslets you run all scanners in one or more categories. Example:--categories=sca,sast--scannerslets you choose specific scanners by name. Example:--scanners=opengrep,depscan- Both can be combined — Radar CLI will run scanners that match both filters.
Severity Formats
| Format | Example Severities |
|---|---|
security |
high / moderate / low |
sarif |
error / warning / note |
You can also escalate severities:
# Treat moderates and lows as highs
radar scan -e moderate,low
Or:
# Treat warnings and notes as errors
radar scan -f sarif -e warning,note
SBOM Generation
Radar CLI generates a CycloneDX SBOM after scanners complete and includes it in uploaded scan results when the scanned repository contains a CDXGen-supported dependency manifest or lockfile. SBOM generation runs CDXGen from a temporary workspace with dependency installation disabled, so scans remain predictable and do not run package manager installs. Repositories without supported dependency files skip SBOM generation. Use --skip-sbom to skip this step.
Exit Codes
An exit code of 0 means the scan passed with no issues. Any other code means the scan failed — either due to new vulnerabilities found or an error during the scanning process.
| Code | Meaning |
|---|---|
0 |
Clean and successful scan. |
1 |
Invalid command, arguments, or options. |
8–15 |
New vulnerabilities found. |
>=16 |
Aborted due to unexpected error. |
Examples
Scan current directory:
radar scan
Scan a specific path:
radar scan /my/repo/dir
Save findings into a SARIF file:
radar scan -o report.sarif
Run only dependency and code scanners:
radar scan -c sca,sast
Run specific scanners:
radar scan -s depscan,opengrep
Enable debug logs:
radar scan --debug
Quiet mode (errors only):
radar scan --quiet
Display findings in SARIF-style severities:
radar scan -f sarif
Treat moderates and lows as highs:
radar scan -e moderate,low
Example Workflows
Local Scan (no uploads)
Runs entirely on your machine — by default, Radar CLI doesn’t upload any findings. Your vulnerabilities stay local and private.
radar scan -s opengrep,gitleaks,grype -o report.sarif
Upload Findings to Eureka ASPM
See all findings in one place with deduplication, trend tracking, and risk prioritization. To upload results to Eureka ASPM, provide your API credentials through the EUREKA_AGENT_TOKEN environment variable. When set, Radar CLI automatically uploads results after each scan — letting you view your full scan history and all findings in the Eureka ASPM Dashboard.
export EUREKA_AGENT_TOKEN=<your token>
radar scan -s opengrep,gitleaks,grype
NOTE: To prevent Radar CLI from uploading scan findings even when you have EUREKA_AGENT_TOKEN set, you can pass the -l/--local option on the command line.
Why Upload Findings to Eureka ASPM?
Eureka ASPM extends Radar CLI with powerful visibility and collaboration features:
- Single Source of Truth: Aggregate findings from all scanners and repos in one place.
- Less Noise, More Signal: Automatically de-duplicate findings and prioritize risks contextually.
- Faster Fixes: See ownership, severity, and remediation guidance for each issue.
- Track Progress: View how your project’s security posture improves over time.
- Free for Open Source: Open source projects get full access at no cost.
Sign up for a free account at eurekadevsecops.com
Scan Uploads to Eureka ASPM
Radar does not send any scan data externally unless you explicitly provide:
EUREKA_AGENT_TOKEN
When provided:
- Findings are securely uploaded to Eureka ASPM
- You gain dashboards, trend analysis, and contextual prioritization
When omitted:
- Scans remain fully local
Analytics
Radar CLI collects limited product analytics to help improve the CLI, understand feature usage, and debug reliability issues across different environments. To disable analytics, use the --disable-analytics flag:
radar scan --disable-analytics
When this flag is set, Radar CLI does not send analytics events for that command run.
Analytics events collected by Radar CLI
Radar CLI includes common runtime metadata with each analytics event, such as CLI version, Node.js version, platform, architecture, and the normalized command flags used for the run.
| Event Name | Properties |
|---|---|
radar_scan_started |
flags, scanners, scanners_count, local |
radar_scan_completed |
flags, scanners, scanners_count, local, scan_id, summary |
radar_scan_failed |
flags, scanners, scanners_count, local, error |
radar_import_started |
flags, scanners, scanners_count |
radar_import_completed |
flags, scanners, scanners_count, scan_id, summary |
radar_import_failed |
flags, scanners, scanners_count, error |
radar_help_invoked |
flags |
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
report.sarif not found |
Scan failed or invalid scanner list | Check scanner names and ensure Docker is running |
| No findings uploaded | Missing or invalid token | Set EUREKA_AGENT_TOKEN |
radar: command not found |
CLI not installed globally | Run npm i -g @eurekadevsecops/radar again |
Contributing
Contributions are welcome! See our CONTRIBUTING.md for setup and development guidelines.
License
Radar CLI is licensed under the terms of the GPL v3 License — Eureka DevSecOps Inc.
Support
- Issues & feature requests: GitHub Issues
- Security: security@eurekadevsecops.com