@nreactive/cli
v0.2.0
Published
Pre-deploy risk scanner for nreactive — `npx nreactive scan` packs your repo, posts it to /api/scan, and prints the top risks inline. CI-friendly with exit codes for GitHub Actions / GitLab CI.
Maintainers
nreactiveReadme
nreactive
Pre-deploy risk scanner for nreactive. Catches bugs before they ship.
npx nreactive scanThat's it — no install, no signup. Packs the current repo, posts it to https://nreactive.com/api/scan, prints the top risks inline.
Install
Zero-install with npx (above) is the easiest path. If you want nreactive on your $PATH:
npm i -g @nreactive/cli # or
pnpm add -g @nreactive/cli # or
bun add -g @nreactive/cliThe package is published as @nreactive/cli but the binary it installs is named nreactive — same command either way:
nreactive scanWhat it catches
The same classes of issues nreactive's runtime SDK reports post-deploy, but found by static analysis on your repo:
- Unhandled promise rejections / missing
await - Hardcoded secrets and credentials
- Missing input validation on routes
- Race conditions and shared-state bugs
- Mis-typed env access (
process.env.XwhereXisn't declared) - Common N+1 patterns
Findings come back with severity, file:line, a short description, and a suggested fix.
CI mode
npx nreactive scan --ci --min-severity highExits non-zero if any finding ≥ --min-severity exists. Drop into your pipeline:
# .github/workflows/scan.yml
- run: npx nreactive scan --ci --min-severity highFlags
| Flag | Default | Description |
|---|---|---|
| --endpoint | https://nreactive.com | Backend base URL. Override with NREACTIVE_ENDPOINT. |
| --token | (none) | Bearer token. First scan works anonymously; signed-in scans link to your dashboard. Override with NREACTIVE_TOKEN. |
| --ci | false | Exit non-zero on findings ≥ --min-severity. |
| --min-severity | high | One of critical, high, medium, low. |
| --max-bytes | 5000000 | Hard cap on the packed-repo size. |
| --json | false | Emit the raw ScanResponse JSON on stdout (for piping into other tools). |
| --cwd | process.cwd() | Repository root to scan. |
Exit codes
| Code | Meaning |
|---|---|
| 0 | OK (or non-CI mode regardless of findings) |
| 1 | CI mode: findings ≥ --min-severity |
| 2 | Usage error (bad flag) |
| 3 | Network error reaching the backend |
| 70 | Internal error (file the issue at https://nreactive.com) |
CI distinguishes "scanner found bugs" (1) from "scanner is broken" (3, 70).
How it works
- Repo is packed locally with Repomix (XML format, default ignore rules).
- The pack is POSTed to
{endpoint}/api/scan?mode=cli. - The backend runs the same analyzers that power the dashboard, returns a compact response (
scanId, top risks, summary, optionalreportUrl). - Output is rendered with chalk;
--jsonemits the raw response.
No code is stored unless you're signed in and explicitly opt in (your dashboard tracks scan history). Anonymous scans are deleted after analysis.
Wire contract
Public, stable across patch versions:
// POST {endpoint}/api/scan?mode=cli
interface ScanRequest {
pack: string; // Repomix XML output
meta: {
cliVersion: string;
repoName?: string; // "owner/repo"
branch?: string;
commit?: string;
};
}
interface Risk {
id: string;
severity: "critical" | "high" | "medium" | "low";
title: string;
file?: string;
line?: number;
description: string;
suggestedFix?: string;
}
interface ScanResponse {
scanId: string;
risks: Risk[];
summary: { totalRisks: number; bySeverity: Partial<Record<Severity, number>> };
reportUrl?: string;
}Self-loop safety: every request includes x-nreactive-self: 1 so the runtime SDK's HTTP-client integration skips it when both ship in the same project.
Related packages
@nreactive/core— runtime error capture (the reactive half).@nreactive/express/@nreactive/fastify— framework adapters.
License
PROPRIETARY. See LICENSE.