CLI Reference

The HAVOC CLI (havoc) is the primary tool for running security scans locally and in CI. Install via npm: npm install -g @havoc/cli

havoc scan

havoc scan [path] [flags]

Runs a full security scan on your project. When run in CI with GITHUB_EVENT_NAME=pull_request, automatically switches to diff-aware mode and only parses changed files (while using cached coverage from the last full scan).

Arguments

Argument	Default	Description
path	`.`	Directory to scan. Defaults to current directory.

Flags

Flag	Type	Default	Description
--format	string	text	Output format: `text`, `json`, `sarif`, `github`
--output	string	stdout	Write output to a file instead of stdout
--min-severity	string	info	Minimum severity to report: `critical`, `high`, `medium`, `low`, `info`
--fail-on	string	high	Exit with code 1 if findings at or above this severity exist
--coverage-threshold	number	—	Fail if authorization coverage drops below this % (e.g. `80`)
--diff	boolean	auto	Force diff-aware mode (compares against baseline)
--full	boolean	false	Force full scan even in CI
--analyzer	string[]	all	Run specific analyzers only (comma-separated)
--exclude	string[]	—	Glob patterns to exclude from scanning
--config	string	.havoc.yml	Path to config file
--no-cloud	boolean	false	Skip uploading results to HAVOC Cloud
--quiet	boolean	false	Suppress progress output; only show findings

Examples

# Basic scan
havoc scan

# JSON output to file
havoc scan --format json --output havoc-results.json

# Only report high and above, fail the build
havoc scan --min-severity high --fail-on high

# Scan specific directory, exclude tests
havoc scan ./app --exclude "tests/**,database/**"

# Full scan with coverage threshold
havoc scan --full --coverage-threshold 85

# SARIF output for GitHub Code Scanning
havoc scan --format sarif --output results.sarif

havoc baseline

havoc baseline [subcommand] [flags]

Manage scan baselines. A baseline captures the current state of findings — subsequent diff-aware scans only report new findings introduced since the baseline.

Subcommands

Subcommand	Description
create	Create a new baseline from the current scan results
show	Display the current baseline
diff	Compare current scan against baseline without failing
clear	Remove the current baseline

Examples

# Scan and save as new baseline
havoc scan --full && havoc baseline create

# See what changed since last baseline
havoc baseline diff

# Show current baseline summary
havoc baseline show

havoc init

havoc init [flags]

Initializes HAVOC in your project. Creates a .havoc.yml config file with sensible defaults based on your detected framework version.

Flags

Flag	Default	Description
--force	false	Overwrite existing .havoc.yml
--interactive	true	Prompt for configuration options
--ci	false	Non-interactive mode with CI defaults

# Interactive init (recommended for first setup)
havoc init

# Silent init for CI bootstrap
havoc init --ci --force

havoc auth

havoc auth [subcommand]

Manage authentication with HAVOC Cloud.

Subcommand	Description
login	Authenticate with HAVOC Cloud via GitHub OAuth
logout	Remove stored credentials
status	Show current authentication status
token	Print API token (for CI use)

# Login (opens browser)
havoc auth login

# Check status
havoc auth status

# Get token for CI environment variable
havoc auth token

Global Flags

These flags work with all HAVOC commands:

Flag	Description
--version, -v	Print HAVOC CLI version
--help, -h	Show help for any command
--verbose	Enable verbose/debug output
--no-color	Disable colored output
--config	Override config file location

Exit codes

Code	Meaning
0	Scan completed, no findings above --fail-on threshold
1	Scan completed, findings at or above --fail-on threshold
2	Scan error (config error, parse error, etc.)
3	Coverage threshold not met (when --coverage-threshold set)