Get started
Getting Started

CLI Setup

Install the Flowpatrol CLI and run your first security scan from the terminal.

The Flowpatrol CLI brings security scanning to your terminal. Same tools as the dashboard and MCP — probe, scan, report — but driven from the command line. Pipe output to other tools, run scans in scripts, or just stay in your terminal.

Installation

npm install -g @flowpatrol/cli
pipx install flowpatrol
brew install flowpatrol/tap/flowpatrol

Verify the install:

flowpatrol --version

Authentication

Get your API key

Go to Settings > API Keys in the dashboard. Click Create API Key, name it, and copy the full key.

You'll only see the full key once. Store it somewhere safe.

Set your key

The quickest way:

flowpatrol auth set-key fp_live_your_api_key

This stores the key in ~/.config/flowpatrol/config.json. Alternatively, set an environment variable:

export FLOWPATROL_API_KEY=fp_live_your_api_key

The env var takes precedence over the config file — useful for CI, containers, or per-project overrides.

Quick start

Run a probe against your app:

flowpatrol probe https://myapp.vercel.app

You'll see output like this:

Flowpatrol Probe — https://myapp.vercel.app

  Scanning... done (12s)

  FINDINGS

  HIGH   Supabase anon key in JS bundle         /static/js/main.a3f2c.js
  HIGH   RLS disabled on "profiles" table        PostgREST API
  MEDIUM Missing Content-Security-Policy header  /
  LOW    X-Powered-By header exposes framework   /

  4 findings (2 high, 1 medium, 1 low)
  Full details: https://app.flowpatrol.ai/scans/abc123

That's it. Twelve seconds from install to results.

Commands reference

CommandDescriptionCost
flowpatrol probe <url>Quick surface-level security check1 credit
flowpatrol scan <url>Full security scan with auth testing5 credits
flowpatrol scan <url> --deepDeep scan with multi-user IDOR and chained attacks8 credits
flowpatrol report <scan-id>Retrieve results from a previous scanFree
flowpatrol report <scan-id> --severity high,criticalFilter results by severityFree
flowpatrol status <scan-id>Check if a scan is still runningFree
flowpatrol auth set-key <key>Store your API key locally
flowpatrol auth whoamiShow the authenticated account

Common flags

FlagDescriptionApplies to
--format <fmt>Output format: human, json, sarifprobe, scan, report
--output <file>Write results to a file instead of stdoutprobe, scan, report
--waitBlock until the scan completes (default for probe)scan
--no-waitStart the scan and exit immediatelyscan
--severity <levels>Filter findings: critical, high, medium, lowreport

Output formats

The CLI supports three output formats via the --format flag.

Human (default) — colored, readable output designed for terminals:

flowpatrol probe https://myapp.vercel.app

JSON — structured output for scripts and pipelines:

flowpatrol probe https://myapp.vercel.app --format json
{
  "scan_id": "abc123",
  "target": "https://myapp.vercel.app",
  "status": "complete",
  "findings": [
    {
      "severity": "high",
      "title": "Supabase anon key in JS bundle",
      "endpoint": "/static/js/main.a3f2c.js",
      "cwe": "CWE-798"
    }
  ],
  "summary": { "critical": 0, "high": 2, "medium": 1, "low": 1 }
}

SARIF — for GitHub Code Scanning, VS Code SARIF Viewer, and other SARIF-compatible tools:

flowpatrol probe https://myapp.vercel.app --format sarif --output results.sarif

Exit codes

CodeMeaning
0Scan completed with no findings
1Scan completed with findings
2Error (auth failure, network issue, invalid target)

This makes it easy to gate deploys in scripts:

deploy.sh
flowpatrol probe https://myapp.vercel.app --format json --output probe.json

if [ $? -eq 1 ]; then
  echo "Security findings detected — check probe.json before deploying"
  exit 1
fi

# Safe to deploy
vercel --prod

Configuration

The CLI reads config from two places, in order of precedence:

  1. Environment variablesFLOWPATROL_API_KEY
  2. Config file~/.config/flowpatrol/config.json

The config file looks like this:

~/.config/flowpatrol/config.json
{
  "api_key": "fp_live_your_api_key",
  "default_format": "human"
}

You rarely need to edit it directly — flowpatrol auth set-key handles the API key, and --format overrides default_format per command.

Next steps

  • Probe reference — full details on what the probe checks and how to interpret each finding
  • Scan reference — auth testing, access control checks, and scan configuration
  • GitHub Action — automate scans on every pull request

MCP Integration

Connect Flowpatrol to your AI editor so security checks run inline while you code.

GitHub Action

Run Flowpatrol security scans on every pull request with a single workflow file.

On this page

InstallationAuthenticationGet your API keySet your keyQuick startCommands referenceCommon flagsOutput formatsExit codesConfigurationNext steps