Install the CLI. Probe any URL. Get a report in seconds — no browser, no dashboard, just your terminal.
npx @flowpatrol/cli probe https://myapp.com
npm install -g @flowpatrol/cli
Works on macOS, Linux, and WSL. Node 18+, Python 3.10+, or Homebrew.
flowpatrol probe <url>Quick check in ~30 seconds. Hits the basics — headers, exposed endpoints, common misconfigs. Shows findings inline.
$ flowpatrol probe https://myapp.vercel.app
Probing https://myapp.vercel.app...
FINDINGS
critical Missing rate limiting on /api/auth/login
Allows brute-force attacks on user credentials.
high Sensitive data in server error response
Stack trace leaks internal file paths on 500 errors.
medium CORS allows any origin
Access-Control-Allow-Origin set to *.
low Missing Content-Security-Policy header
Done in 28s. 1 critical, 1 high, 1 medium, 1 low.Pipe JSON output into jq. Aggregate findings across targets. Build your own dashboards.
flowpatrol scan https://app1.com --format json | jq '.findings[] | select(.severity == "critical")'
Combine with the GitHub Action for automated PR checks. Block merges on critical findings.
# .github/workflows/security.yml
- name: Security scan
run: flowpatrol scan ${{ env.PREVIEW_URL }} --fail-on criticalUse --verbose to see exactly what gets checked. Every request, every test, every finding explained.
flowpatrol probe https://myapp.com --verbose
Human-readable for debugging. JSON for pipelines. SARIF for GitHub code scanning. Use --format to pick.
$ flowpatrol report fp_scan_a8f3c1
IDOR on GET /api/users/:id
Severity: critical | CWE-639
What we found:
Authenticated as user A, requested user B's profile.
Server returned user B's full record.
How to fix:
Add authorization check — verify req.user.id
matches the requested :id parameter.npx @flowpatrol/cli probe https://myapp.com