Ship Faster with Security in Your Terminal
Introducing the Flowpatrol CLI — run security scans from your terminal with npm, pip, or brew. Probe any URL in 30 seconds, get findings with fixes, pipe to jq or SARIF.
You don't need a dashboard for this
You built something. It's live, or close to it. You want to check it before you share it with your team, your users, or that one friend who always finds the broken thing.
You could open a browser, log in, click through a dashboard. Or you could stay right where you are.
npx @flowpatrol/cli probe https://myapp.com
That's it. Thirty seconds later, you know where you stand.
One command, real answers
Here's what that looks like in your terminal:
$ npx @flowpatrol/cli probe https://myapp.com
Flowpatrol Probe — https://myapp.com
Scanning...
CRITICAL Supabase service role key in client bundle
/static/js/app-3fa8c1.js
Fix: Move this key to a server-side route or environment variable
without the NEXT_PUBLIC_ prefix.
HIGH Missing Row Level Security on 3 tables
users, projects, invoices
Fix: Enable RLS and add policies that scope rows to auth.uid().
MEDIUM No Content-Security-Policy header
All responses missing CSP
Fix: Add a Content-Security-Policy header in next.config.js
or your hosting platform's headers config.
3 findings (1 critical, 1 high, 1 medium)
Full report: https://flowpatrol.ai/reports/a3f8c1
Done in 28s.
Three findings. Each one tells you what's wrong, where it is, and how to fix it. No jargon. No 40-page report. Just the stuff that matters.
Install it your way
Pick whichever fits your stack:
# npm (works with npx too — no install needed)
npm install -g @flowpatrol/cli
# Python
pipx install flowpatrol
# macOS
brew install flowpatrol/tap/flowpatrol
All three give you the same flowpatrol command. All three stay up to date with the same scan engine that powers the web dashboard.
What can it do?
Three commands. Each one built for a different moment in your workflow.
probe — the 30-second check
Quick surface scan. Run it before a demo, before sharing a link, before pushing to production. It checks for exposed secrets, missing security headers, and the most common access control problems.
flowpatrol probe https://myapp.com
Think of it as a pre-flight checklist. Fast enough to run every time you deploy.
scan — the full test
Everything probe does, plus deep checks on authentication flows, API endpoints, database access controls, and session handling. This is the same scan you get from the web dashboard.
flowpatrol scan https://staging.myapp.com
Takes a few minutes depending on your app's size. Run it on staging before you merge to main. Run it on production after a big feature ships.
report — pull results in any format
Already ran a scan? Pull the results again in the format you need.
# JSON for scripting
flowpatrol report latest --format json
# SARIF for GitHub Security tab
flowpatrol report latest --format sarif
# Markdown for pasting into a PR
flowpatrol report latest --format markdown
No need to revisit the dashboard. Everything stays in your terminal.
Pipe it, script it, automate it
The CLI outputs structured JSON. That means it plays nice with everything else in your toolkit.
Filter findings with jq
# Show only critical and high findings
flowpatrol scan https://myapp.com --format json \
| jq '.findings[] | select(.severity == "critical" or .severity == "high")'
Export SARIF for CI
SARIF is the standard format GitHub uses for security alerts. Upload it and your findings show up in the Security tab, right next to Dependabot and CodeQL.
flowpatrol scan https://staging.myapp.com --format sarif > results.sarif
Use --quiet for scripts
Need a quick pass/fail in a deploy script? The --quiet flag suppresses all output and exits with a non-zero code if critical findings are present.
flowpatrol probe https://myapp.com --quiet
if [ $? -ne 0 ]; then
echo "Security issues found. Blocking deploy."
exit 1
fi
No parsing. No regex. Just an exit code.
Pair it with the GitHub Action
The CLI is for your terminal. For automated PR scanning, there's flowpatrol/scan-action@v1.
# .github/workflows/security.yml
name: Security Scan
on: pull_request
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: flowpatrol/scan-action@v1
with:
target-url: ${{ vars.STAGING_URL }}
api-key: ${{ secrets.FLOWPATROL_API_KEY }}
Every PR gets scanned. Findings show up as annotations on the diff. No extra steps, no manual checks.
The CLI and the Action use the same engine. Same findings, same formats, same fix suggestions. Use whichever fits the moment — or both.
Get started in 60 seconds
-
Install the CLI.
npm install -g @flowpatrol/cli(or pipx, or brew). -
Run your first probe.
flowpatrol probe https://your-app.com— 30 seconds, no account needed for a free probe. -
Read the findings. Each one tells you what's wrong, where, and how to fix it. Start with the critical items.
-
Fix and re-scan. Make the changes, run the probe again. Watch the finding count drop.
-
Add it to your workflow. Put the
--quietflag in your deploy script. Add the GitHub Action to your repo. Make security checks as automatic as linting.
You turned an idea into a working app. The CLI makes sure it's solid before anyone else touches it. Install it. Run it. Ship with confidence.
