CLI Setup
Install the Flowpatrol CLI and run your first security scan from the terminal.
The Flowpatrol CLI brings security scanning to your terminal. Same tools as the dashboard and MCP — probe, scan, report — but driven from the command line. Pipe output to other tools, run scans in scripts, or just stay in your terminal.
Installation
npm install -g @flowpatrol/clipipx install flowpatrolbrew install flowpatrol/tap/flowpatrolVerify the install:
flowpatrol --versionAuthentication
Get your API key
Go to Settings > API Keys in the dashboard. Click Create API Key, name it, and copy the full key.
You'll only see the full key once. Store it somewhere safe.
Set your key
The quickest way:
flowpatrol auth set-key fp_live_your_api_keyThis stores the key in ~/.config/flowpatrol/config.json. Alternatively, set an environment variable:
export FLOWPATROL_API_KEY=fp_live_your_api_keyThe env var takes precedence over the config file — useful for CI, containers, or per-project overrides.
Quick start
Run a Surface scan against your app:
flowpatrol surface https://myapp.vercel.appYou'll see output like this:
Flowpatrol Surface Scan — https://myapp.vercel.app
Scanning... done (1m 42s)
FINDINGS
HIGH Supabase anon key in JS bundle /static/js/main.a3f2c.js
HIGH RLS disabled on "profiles" table PostgREST API
MEDIUM Missing Content-Security-Policy header /
LOW X-Powered-By header exposes framework /
4 findings (2 high, 1 medium, 1 low)
Full details: https://flowpatrol.ai/scans/abc123That's it. Under two minutes from install to results.
Commands reference
| Command | Description | Cost |
|---|---|---|
flowpatrol surface <url> | Surface scan, 1 credit | 1 credit |
flowpatrol scan <url> | Deep scan, 5 credits | 5 credits |
flowpatrol report <scan-id> | Retrieve results from a previous scan | Free |
flowpatrol report <scan-id> --severity high,critical | Filter results by severity | Free |
flowpatrol status <scan-id> | Check if a scan is still running | Free |
flowpatrol auth set-key <key> | Store your API key locally | — |
flowpatrol auth whoami | Show the authenticated account | — |
Common flags
| Flag | Description | Applies to |
|---|---|---|
--format <fmt> | Output format: human, json, sarif | probe, scan, report |
--output <file> | Write results to a file instead of stdout | probe, scan, report |
--wait | Block until the scan completes (default for probe) | scan |
--no-wait | Start the scan and exit immediately | scan |
--severity <levels> | Filter findings: critical, high, medium, low | report |
Output formats
The CLI supports three output formats via the --format flag.
Human (default) — colored, readable output designed for terminals:
flowpatrol surface https://myapp.vercel.appJSON — structured output for scripts and pipelines:
flowpatrol surface https://myapp.vercel.app --format json{
"scan_id": "abc123",
"target": "https://myapp.vercel.app",
"status": "complete",
"findings": [
{
"severity": "high",
"title": "Supabase anon key in JS bundle",
"endpoint": "/static/js/main.a3f2c.js",
"cwe": "CWE-798"
}
],
"summary": { "critical": 0, "high": 2, "medium": 1, "low": 1 }
}SARIF — for GitHub Code Scanning, VS Code SARIF Viewer, and other SARIF-compatible tools:
flowpatrol surface https://myapp.vercel.app --format sarif --output results.sarifExit codes
| Code | Meaning |
|---|---|
0 | Scan completed with no findings |
1 | Scan completed with findings |
2 | Error (auth failure, network issue, invalid target) |
This makes it easy to gate deploys in scripts:
flowpatrol surface https://myapp.vercel.app --format json --output probe.json
if [ $? -eq 1 ]; then
echo "Security findings detected — check probe.json before deploying"
exit 1
fi
# Safe to deploy
vercel --prodConfiguration
The CLI reads config from two places, in order of precedence:
- Environment variables —
FLOWPATROL_API_KEY - Config file —
~/.config/flowpatrol/config.json
The config file looks like this:
{
"api_key": "fp_live_your_api_key",
"default_format": "human"
}You rarely need to edit it directly — flowpatrol auth set-key handles the API key, and --format overrides default_format per command.
Next steps
- Surface scan reference — full details on what the surface scan checks and how to interpret each finding
- Deep scan reference — auth testing, access control checks, and scan configuration
- GitHub Action — automate scans on every pull request