Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (codeslick-cli) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
@codeslick/cli
CodeSlick CLI - Pre-commit security scanner for JavaScript, TypeScript, Python, and Java.
Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.
Features
- Local Security Scanning - No API calls required, fully offline
- Pre-commit Hook Integration - Automatically scans staged files before each commit
- Fast Analysis - <3s for 10 files using CodeSlick's analyzer engine
- Multi-language Support - JavaScript, TypeScript, Python, Java
- Configurable Thresholds - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
- Beautiful Terminal Output - Color-coded results with CVSS scores and fix suggestions
- CI/CD Ready - JSON output mode for automation
- OWASP Top 10:2025 Compliant - 268 comprehensive security checks
Prerequisites
Git is required - CodeSlick CLI works with any git repository (local or remote):
# Initialize git in your project (if not already done)
git initNote: You do NOT need GitHub, GitLab, or any remote hosting. CodeSlick works with local git repositories, GitHub repositories, GitLab, Bitbucket, or any git-based workflow.
System Requirements:
- Node.js 18.0.0 or higher
- Git (any version)
- macOS, Linux, or Windows
Installation
Option 1: Use npx (Recommended - No Installation Required)
Run CodeSlick directly without installation:
npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scanBenefits:
- ✅ No permission issues
- ✅ Always runs latest version
- ✅ Works on all systems
- ✅ No global pollution
Option 2: Global Installation
npm install -g codeslick-cliAfter installation, you can use either codeslick or the shorter alias cs:
codeslick --version
# or
cs --versionBoth commands work identically. Use cs for faster typing!
Note: On macOS/Linux, you may encounter permission errors. See Troubleshooting for solutions.
Option 3: Local Installation (Per Project)
npm install --save-dev codeslick-cli
npx codeslick-cli initQuick Start
1. Make Sure You Have Git Initialized
cd your-project/
# If not already a git repository, initialize it first:
git init2. Initialize CodeSlick in Your Repository
npx codeslick-cli init
# or if you installed globally:
codeslick init # or: cs initThis will:
- Create
.codeslick.jsonconfiguration file - Install pre-commit hook in
.git/hooks/ - Configure automatic scanning
3. Configure Severity Threshold (Optional)
npx codeslick-cli config set severity critical # Block only CRITICAL issues
npx codeslick-cli config set severity high # Block HIGH+ issues (recommended)
npx codeslick-cli config set severity medium # Block MEDIUM+ issues (default)4. Commit as Usual
git add .
git commit -m "Add new feature"CodeSlick will automatically scan staged files. If vulnerabilities are found that meet your severity threshold, the commit will be blocked.
Commands
codeslick init
Initialize CodeSlick in your repository.
Usage:
codeslick init [options]Options:
--force, -f- Force re-initialization (overwrite existing config)--severity, -s <level>- Set default severity threshold (critical|high|medium|low)
Examples:
codeslick init # Initialize with defaults
codeslick init --force # Overwrite existing configuration
codeslick init --severity high # Initialize with HIGH severity thresholdcodeslick scan
Scan files for security vulnerabilities.
Usage:
codeslick scan [files...] [options]Options:
--all, -a- Scan all files in repository (overrides default staged-only behavior)--quick, -q- Quick scan - skip deep TypeScript type checking for speed--verbose, -v- Show all issues including MEDIUM and LOW (default: HIGH+ only)--severity, -s <level>- Override severity threshold (critical|high|medium|low)--fix- Auto-apply fixes where possible (experimental)--json- Output results as JSON (for CI/CD)
Default Behavior: Scans only staged files for fast pre-commit feedback.
Examples:
codeslick scan # Scan staged files (default)
codeslick scan --all # Scan entire repository
codeslick scan --quick # Fast scan (skip TypeScript type checking)
codeslick scan --verbose # Show all issues (including MEDIUM/LOW)
codeslick scan src/**/*.js # Scan specific files/patterns
codeslick scan --json # JSON output (for CI/CD)
codeslick scan --severity high # Temporarily override thresholdcodeslick config
Manage CodeSlick configuration.
Usage:
codeslick config <action> [key] [value]Actions:
list- Display all configuration valuesget <key>- Get a specific configuration valueset <key> <value>- Set a configuration value
Configuration Keys:
severity- Severity threshold (critical|high|medium|low)autofix- Enable/disable auto-fix (true|false)languages- Comma-separated list of languagesexclude- Comma-separated list of exclude patterns
Examples:
codeslick config list # Show all config
codeslick config get severity # Get current severity
codeslick config set severity critical # Set severity to CRITICAL only
codeslick config set autofix true # Enable auto-fix
codeslick config set languages js,ts,py # Enable only JS, TS, PythonCommand Aliases
If installed globally, you can use the shorter cs alias:
| Long Command | Short Alias | Description |
|---|---|---|
codeslick init |
cs init |
Initialize CodeSlick |
codeslick scan |
cs scan |
Scan files |
codeslick config |
cs config |
Manage config |
codeslick auth |
cs auth |
Authenticate |
codeslick --help |
cs --help |
Show help |
codeslick --version |
cs --version |
Show version |
Examples (global installation only):
# These only work after global installation:
codeslick scan --staged
cs scan --staged
# If using npx, use:
npx codeslick-cli scan --stagedNote: The codeslick and cs commands only work after global installation. If using npx, always use npx codeslick-cli <command>.
Configuration
The .codeslick.json file controls how CodeSlick scans your code.
Default Configuration
{
"version": "1.0",
"severity": "critical",
"autofix": false,
"exclude": [
"node_modules/**",
"dist/**",
"build/**",
"coverage/**",
"**/*.test.{js,ts}",
"**/*.spec.{js,ts}",
"**/test/**",
"**/tests/**"
],
"languages": ["javascript", "typescript", "python", "java"]
}Configuration Reference
| Key | Type | Default | Description |
|---|---|---|---|
version |
string | "1.0" |
Configuration version (do not modify) |
severity |
string | "critical" |
Severity threshold: critical, high, medium, low |
autofix |
boolean | false |
Enable auto-fix (experimental) |
exclude |
string[] | See above | Glob patterns to exclude from scanning |
languages |
string[] | All | Languages to scan: javascript, typescript, python, java |
telemetry |
boolean | true |
Enable anonymous usage analytics |
Severity Thresholds
| Threshold | Blocks On | Use Case |
|---|---|---|
critical |
CRITICAL only | Minimum protection (fastest) |
high |
CRITICAL + HIGH | Recommended for most projects |
medium |
CRITICAL + HIGH + MEDIUM | Strict security requirements |
low |
All issues | Maximum security (slowest) |
Security Checks
CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.
Coverage by Language
| Language | Security Checks | Key Detections |
|---|---|---|
| JavaScript | 28 checks | SQL injection, XSS, eval(), dangerous APIs |
| TypeScript | 56 checks | Type errors, property validation, AI code |
| Python | 47 checks | Django/Flask security, pickle, exec(), secrets |
| Java | 32 checks | Log4j, Spring Security, SQL injection, deserialization |
Total: 268 comprehensive security checks
OWASP Top 10:2025 Compliance
CodeSlick CLI is 95% compliant with OWASP Top 10:2025:
- A01:2025 - Broken Access Control
- A02:2025 - Cryptographic Failures
- A03:2025 - Injection
- A04:2025 - Insecure Design
- A05:2025 - Security Misconfiguration
- A06:2025 - Vulnerable and Outdated Components
- A07:2025 - Identification and Authentication Failures
- A08:2025 - Software and Data Integrity Failures
- A09:2025 - Security Logging and Monitoring Failures
- A10:2025 - Server-Side Request Forgery (SSRF)
CI/CD Integration
Use CodeSlick CLI in your CI/CD pipeline with JSON output mode.
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
codeslick:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
- run: npx codeslick-cli scan --json > results.json
- uses: actions/upload-artifact@v3
if: always()
with:
name: codeslick-results
path: results.jsonGitLab CI
codeslick:
image: node:18
script:
- npx codeslick-cli scan --json > results.json
artifacts:
when: always
paths:
- results.jsonJenkins
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'npx codeslick-cli scan --json > results.json'
}
}
}
post {
always {
archiveArtifacts artifacts: 'results.json'
}
}
}Skipping the Pre-commit Hook
If you need to commit without scanning (not recommended):
git commit --no-verify -m "Emergency hotfix"Or temporarily disable:
rm .git/hooks/pre-commit
# Make your commits
codeslick init --force # Re-install hookTroubleshooting
"Not a git repository" error
Problem: Running codeslick init in a non-git directory.
Why this happens: CodeSlick CLI requires git to:
- Install pre-commit hooks in
.git/hooks/directory - Track staged files for scanning
- Work with your existing git workflow
Solution: Initialize git first:
# Initialize git in your project
git init
# Now run CodeSlick init
npx codeslick-cli initNote: You do NOT need GitHub or any remote repository. CodeSlick works with local git repositories.
"No staged files to scan" message
Problem: Running codeslick scan with no staged files.
Why this happens: By default, CodeSlick scans only staged files for fast pre-commit feedback.
Solutions:
# Option 1: Stage files first
git add <files>
codeslick scan
# Option 2: Scan entire repository
codeslick scan --all
# Option 3: Scan specific path
codeslick scan src/Pre-commit hook not running
Problem: Hook installed but not executing.
Solution: Ensure hook is executable (Unix):
chmod +x .git/hooks/pre-commitSolution: Re-install hook:
codeslick init --force"EACCES: permission denied" error on macOS/Linux
Problem: Permission denied when installing globally:
npm error code EACCES
npm error syscall mkdir
npm error path /usr/local/lib/node_modules/codeslick-cli✅ Solution 1 - Use npx (Recommended - No installation needed):
npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scanSolution 2 - Fix npm permissions (Best long-term):
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
npm install -g codeslick-cliSolution 3 - Use sudo (Not recommended):
sudo npm install -g codeslick-cli"Command not found: codeslick" error
Problem: CLI not installed globally or not in PATH.
Solution: Install globally:
npm install -g codeslick-cliSolution: Use npx (no install required):
npx codeslick-cli init
npx codeslick-cli scanSlow scanning performance
Problem: Scanning takes >5s for small projects.
Solution: Exclude unnecessary directories:
codeslick config set exclude "node_modules/**,dist/**,coverage/**"Too many false positives
Problem: Legitimate code flagged as vulnerable.
Solution: Adjust severity threshold:
codeslick config set severity high # Only block HIGH+ issuesSolution: Exclude specific files:
codeslick config set exclude "test/**,migrations/**"Performance
Typical scan times on a 2020 MacBook Pro:
| Files | Languages | Time |
|---|---|---|
| 10 | Mixed | <3s |
| 50 | Mixed | <10s |
| 100 | Mixed | <20s |
| 500 | Mixed | <60s |
Comparison with Alternatives
| Tool | Local Scanning | Pre-commit Hook | Offline | Languages | OWASP 2025 |
|---|---|---|---|---|---|
| CodeSlick CLI | ✅ | ✅ | ✅ | 4 | 95% |
| Snyk CLI | ✅ | ✅ | ❌ (API required) | Many | Partial |
| SonarLint CLI | ✅ | ✅ | ✅ | Many | Partial |
| Semgrep | ✅ | ✅ | ✅ | Many | Partial |
| ESLint | ✅ | ✅ | ✅ | JS/TS only | No |
Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
License
MIT License - see LICENSE for details.
Support
- Website: https://codeslick.dev
- GitHub: https://github.com/VitorLourenco/codeslick2
- Issues: https://github.com/VitorLourenco/codeslick2/issues
- Email: support@codeslick.dev
What's New in v1.1
- Update Notifications - CLI notifies you when a new version is available
- Anonymous Telemetry - Usage stats for dashboard analytics (disable with
cs config set telemetry false) - Improved SSRF Detection - Internal API routes (
/api/...) no longer trigger false positives - Fixed Critical Sorting - CRITICAL issues now correctly appear first in reports
- Markdown Reports - Auto-generates detailed reports for large scans (>20 files or >30 issues)
v1.0 Features
- Staged Files by Default - Fast pre-commit scans (<1s for most commits)
- Quick Mode - Skip TypeScript type checking with
--quickfor even faster scans - Smart Output - Only shows CRITICAL and HIGH issues by default (use
--verbosefor all) - 268 Security Checks - OWASP Top 10:2025 compliant
Roadmap
v1.2 (Coming Soon)
- Custom rule configuration
- IDE integration (VS Code extension)
- Enhanced auto-fix support
Made with security in mind by CodeSlick https://codeslick.dev