av sast scan
Run the full scan series over a local path and tier every finding REDYELLOWGREEN.
Synopsis
Section titled “Synopsis”av sast scan [flags]The binary ships as alertavuln; av is the common alias - they are
interchangeable in every example.
Description
Section titled “Description”av sast scan runs the full scan series over a local path. Each engine emits
SARIF that is normalised into a single finding set and rendered as a table
(or JSON with --format json).
Pass --project to also upload the findings to that project so they appear on
the Code Scan page. The scan’s source repo and git ref are detected
automatically from the scanned working tree’s git metadata; --repo and
--ref override the detection. --no-upload keeps a scan local-only even
when --project is set.
For CI gating, --fail-on makes the command exit non-zero when the worst
finding is at or above the given tier.
Options
Section titled “Options”| Flag | Default | Description |
|---|---|---|
--path |
. |
Path to scan |
--format |
table |
Output format: table or json |
--project |
- | Project ID to upload findings to (omit for a local-only scan) |
--repo |
auto-detected | Source repo URL recorded as provenance on upload |
--ref |
auto-detected | Git ref recorded as provenance on upload |
--no-upload |
false |
Scan locally only; do not upload even if --project is set |
--fail-on |
none |
Exit non-zero if the worst finding is at or above the tier: red, yellow, or none |
Examples
Section titled “Examples”Scan the current directory with the full scan series:
av sast scan --path .Gate a CI pipeline: exit non-zero if the worst finding is RED, with machine-readable output:
av sast scan --path . --fail-on red --format jsonExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Scan completed and no finding is at or above the --fail-on tier |
1 |
Scan failed, or at least one finding is at or above the --fail-on tier |
See also
Section titled “See also”av sast findings- pull the consolidated findings the server holds for a projectav sast server-scan- scan a project’s connected repos on AlertaVuln’s infrastructure (Enterprise)