codeslick-cli
v1.4.0
Published
CodeSlick CLI tool for pre-commit security scanning with Terraform IaC support
Maintainers
vitorlourencoReadme
@codeslick/cli
CodeSlick CLI - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, Go, and Terraform.
Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.
Features
- Local Security Scanning - No API calls required, fully offline
- Pre-commit Hook Integration - Automatically scans staged files before each commit
- Fast Analysis - <3s for 10 files using CodeSlick's analyzer engine
- Multi-language Support - JavaScript, TypeScript, Python, Java, Go, Terraform
- IaC Security - Detects AWS misconfigurations in Terraform (S3, IAM, and more)
- Configurable Thresholds - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
- Beautiful Terminal Output - Color-coded results with CVSS scores and fix suggestions
- CI/CD Ready - JSON output mode for automation
- OWASP Top 10:2025 Compliant - 304 comprehensive security checks
Prerequisites
Git is required - CodeSlick CLI works with any git repository (local or remote):
# Initialize git in your project (if not already done)
git initNote: You do NOT need GitHub, GitLab, or any remote hosting. CodeSlick works with local git repositories, GitHub repositories, GitLab, Bitbucket, or any git-based workflow.
System Requirements:
- Node.js 18.0.0 or higher
- Git (any version)
- macOS, Linux, or Windows
Installation
Option 1: Use npx (Recommended - No Installation Required)
Run CodeSlick directly without installation:
npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scanBenefits:
- ✅ No permission issues
- ✅ Always runs latest version
- ✅ Works on all systems
- ✅ No global pollution
Option 2: Global Installation
npm install -g codeslick-cliAfter installation, you can use either codeslick or the shorter alias cs:
codeslick --version
# or
cs --versionBoth commands work identically. Use cs for faster typing!
Note: On macOS/Linux, you may encounter permission errors. See Troubleshooting for solutions.
Option 3: Local Installation (Per Project)
npm install --save-dev codeslick-cli
npx codeslick-cli initQuick Start
1. Make Sure You Have Git Initialized
cd your-project/
# If not already a git repository, initialize it first:
git init2. Initialize CodeSlick in Your Repository
npx codeslick-cli init
# or if you installed globally:
codeslick init # or: cs initThis will:
- Create
.codeslick.jsonconfiguration file - Install pre-commit hook in
.git/hooks/ - Configure automatic scanning
3. Configure Severity Threshold (Optional)
npx codeslick-cli config set severity critical # Block only CRITICAL issues
npx codeslick-cli config set severity high # Block HIGH+ issues (recommended)
npx codeslick-cli config set severity medium # Block MEDIUM+ issues (default)4. Commit as Usual
git add .
git commit -m "Add new feature"CodeSlick will automatically scan staged files. If vulnerabilities are found that meet your severity threshold, the commit will be blocked.
Commands
codeslick init
Initialize CodeSlick in your repository.
Usage:
codeslick init [options]Options:
--force, -f- Force re-initialization (overwrite existing config)--severity, -s <level>- Set default severity threshold (critical|high|medium|low)
Examples:
codeslick init # Initialize with defaults
codeslick init --force # Overwrite existing configuration
codeslick init --severity high # Initialize with HIGH severity thresholdcodeslick scan
Scan files for security vulnerabilities.
Usage:
codeslick scan [files...] [options]Options:
--all, -a- Scan all files in repository (overrides default staged-only behavior)--quick, -q- Quick scan - skip deep TypeScript type checking for speed--verbose, -v- Show all issues including MEDIUM and LOW (default: HIGH+ only)--severity, -s <level>- Override severity threshold (critical|high|medium|low)--fix- Auto-apply fixes where possible (experimental)--json- Output results as JSON (for CI/CD)--verify- NEW: Run security scan + tests (combined pass/fail) ⭐--test-command <cmd>- Custom test command (e.g., "npm test", "pytest")
Default Behavior: Scans only staged files for fast pre-commit feedback.
Examples:
codeslick scan # Scan staged files (default)
codeslick scan --all # Scan entire repository
codeslick scan --quick # Fast scan (skip TypeScript type checking)
codeslick scan --verbose # Show all issues (including MEDIUM/LOW)
codeslick scan src/**/*.js # Scan specific files/patterns
codeslick scan --json # JSON output (for CI/CD)
codeslick scan --severity high # Temporarily override threshold
# NEW: Test Execution Integration (v1.3)
codeslick scan --verify # Run security scan + tests (both must pass)
codeslick scan --verify --test-command "pytest --cov" # Custom test commandcodeslick config
Manage CodeSlick configuration.
Usage:
codeslick config <action> [key] [value]Actions:
list- Display all configuration valuesget <key>- Get a specific configuration valueset <key> <value>- Set a configuration value
Configuration Keys:
severity- Severity threshold (critical|high|medium|low)autofix- Enable/disable auto-fix (true|false)languages- Comma-separated list of languagesexclude- Comma-separated list of exclude patterns
Examples:
codeslick config list # Show all config
codeslick config get severity # Get current severity
codeslick config set severity critical # Set severity to CRITICAL only
codeslick config set autofix true # Enable auto-fix
codeslick config set languages js,ts,py # Enable only JS, TS, PythonCommand Aliases
If installed globally, you can use the shorter cs alias:
| Long Command | Short Alias | Description |
|--------------|-------------|-------------|
| codeslick init | cs init | Initialize CodeSlick |
| codeslick scan | cs scan | Scan files |
| codeslick config | cs config | Manage config |
| codeslick auth | cs auth | Authenticate |
| codeslick --help | cs --help | Show help |
| codeslick --version | cs --version | Show version |
Examples (global installation only):
# These only work after global installation:
codeslick scan --staged
cs scan --staged
# If using npx, use:
npx codeslick-cli scan --stagedNote: The codeslick and cs commands only work after global installation. If using npx, always use npx codeslick-cli <command>.
Configuration
The .codeslick.json file controls how CodeSlick scans your code.
Default Configuration
{
"version": "1.0",
"severity": "critical",
"autofix": false,
"exclude": [
"node_modules/**",
"dist/**",
"build/**",
"coverage/**",
"**/*.test.{js,ts}",
"**/*.spec.{js,ts}",
"**/test/**",
"**/tests/**"
],
"languages": ["javascript", "typescript", "python", "java", "go", "terraform"],
// NEW: Pass/Fail Thresholds (v1.3)
"thresholdEnabled": true,
"thresholdBlockCritical": true,
"thresholdBlockHigh": false,
"thresholdMaxVulnerabilities": 50,
"thresholdMaxEpss": 70,
"thresholdExemptPaths": ["**/__tests__/**", "vendor/**"],
// NEW: Test Execution Integration (v1.3)
"testCommand": "npm test",
"testTimeout": 300000
}Configuration Reference
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| version | string | "1.0" | Configuration version (do not modify) |
| severity | string | "critical" | Severity threshold: critical, high, medium, low |
| autofix | boolean | false | Enable auto-fix (experimental) |
| exclude | string[] | See above | Glob patterns to exclude from scanning |
| languages | string[] | All | Languages to scan: javascript, typescript, python, java, go, terraform |
| telemetry | boolean | true | Enable anonymous usage analytics |
| Thresholds (v1.3) | | | |
| thresholdEnabled | boolean | true | Enable pass/fail threshold enforcement |
| thresholdBlockCritical | boolean | true | Block on CRITICAL vulnerabilities |
| thresholdBlockHigh | boolean | false | Block on HIGH severity vulnerabilities |
| thresholdMaxVulnerabilities | number | 50 | Max total vulnerabilities allowed |
| thresholdMaxEpss | number | 70 | Max EPSS score (0-100, exploitability %) |
| thresholdExemptPaths | string[] | [] | Glob patterns exempt from thresholds |
| Test Execution (v1.3) | | | |
| testCommand | string | Auto-detect | Test command to run with --verify flag |
| testTimeout | number | 300000 | Test execution timeout (milliseconds) |
Severity Thresholds
| Threshold | Blocks On | Use Case |
|-----------|-----------|----------|
| critical | CRITICAL only | Minimum protection (fastest) |
| high | CRITICAL + HIGH | Recommended for most projects |
| medium | CRITICAL + HIGH + MEDIUM | Strict security requirements |
| low | All issues | Maximum security (slowest) |
Security Checks
CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.
Coverage by Language
| Language | Security Checks | Key Detections | |----------|-----------------|----------------| | JavaScript | 28 checks | SQL injection, XSS, eval(), dangerous APIs | | TypeScript | 56 checks | Type errors, property validation, AI code | | Python | 47 checks | Django/Flask security, pickle, exec(), secrets | | Java | 32 checks | Log4j, Spring Security, SQL injection, deserialization | | Go | 26 checks | SQL injection, command injection, TLS misconfig, race conditions | | Terraform | 10 checks | S3 public ACL, IAM wildcards, encryption, versioning, logging |
Total: 304 comprehensive security checks
OWASP Top 10:2025 Compliance
CodeSlick CLI is 95% compliant with OWASP Top 10:2025:
- A01:2025 - Broken Access Control
- A02:2025 - Cryptographic Failures
- A03:2025 - Injection
- A04:2025 - Insecure Design
- A05:2025 - Security Misconfiguration
- A06:2025 - Vulnerable and Outdated Components
- A07:2025 - Identification and Authentication Failures
- A08:2025 - Software and Data Integrity Failures
- A09:2025 - Security Logging and Monitoring Failures
- A10:2025 - Server-Side Request Forgery (SSRF)
CI/CD Integration
Use CodeSlick CLI in your CI/CD pipeline with JSON output mode.
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
codeslick:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
# Option 1: Security scan only
- run: npx codeslick-cli scan --json > results.json
# Option 2: Security scan + tests (v1.3) ⭐
- run: npx codeslick-cli scan --verify
- uses: actions/upload-artifact@v3
if: always()
with:
name: codeslick-results
path: results.jsonGitLab CI
codeslick:
image: node:18
script:
- npx codeslick-cli scan --json > results.json
artifacts:
when: always
paths:
- results.jsonJenkins
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'npx codeslick-cli scan --json > results.json'
}
}
}
post {
always {
archiveArtifacts artifacts: 'results.json'
}
}
}Skipping the Pre-commit Hook
If you need to commit without scanning (not recommended):
git commit --no-verify -m "Emergency hotfix"Or temporarily disable:
rm .git/hooks/pre-commit
# Make your commits
codeslick init --force # Re-install hookTroubleshooting
"Not a git repository" error
Problem: Running codeslick init in a non-git directory.
Why this happens: CodeSlick CLI requires git to:
- Install pre-commit hooks in
.git/hooks/directory - Track staged files for scanning
- Work with your existing git workflow
Solution: Initialize git first:
# Initialize git in your project
git init
# Now run CodeSlick init
npx codeslick-cli initNote: You do NOT need GitHub or any remote repository. CodeSlick works with local git repositories.
"No staged files to scan" message
Problem: Running codeslick scan with no staged files.
Why this happens: By default, CodeSlick scans only staged files for fast pre-commit feedback.
Solutions:
# Option 1: Stage files first
git add <files>
codeslick scan
# Option 2: Scan entire repository
codeslick scan --all
# Option 3: Scan specific path
codeslick scan src/Pre-commit hook not running
Problem: Hook installed but not executing.
Solution: Ensure hook is executable (Unix):
chmod +x .git/hooks/pre-commitSolution: Re-install hook:
codeslick init --force"EACCES: permission denied" error on macOS/Linux
Problem: Permission denied when installing globally:
npm error code EACCES
npm error syscall mkdir
npm error path /usr/local/lib/node_modules/codeslick-cli✅ Solution 1 - Use npx (Recommended - No installation needed):
npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scanSolution 2 - Fix npm permissions (Best long-term):
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
npm install -g codeslick-cliSolution 3 - Use sudo (Not recommended):
sudo npm install -g codeslick-cli"Command not found: codeslick" error
Problem: CLI not installed globally or not in PATH.
Solution: Install globally:
npm install -g codeslick-cliSolution: Use npx (no install required):
npx codeslick-cli init
npx codeslick-cli scanSlow scanning performance
Problem: Scanning takes >5s for small projects.
Solution: Exclude unnecessary directories:
codeslick config set exclude "node_modules/**,dist/**,coverage/**"Too many false positives
Problem: Legitimate code flagged as vulnerable.
Solution: Adjust severity threshold:
codeslick config set severity high # Only block HIGH+ issuesSolution: Exclude specific files:
codeslick config set exclude "test/**,migrations/**"Performance
Typical scan times on a 2020 MacBook Pro:
| Files | Languages | Time | |-------|-----------|------| | 10 | Mixed | <3s | | 50 | Mixed | <10s | | 100 | Mixed | <20s | | 500 | Mixed | <60s |
Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
License
MIT License - see LICENSE for details.
Support
- Website: https://codeslick.dev
- GitHub: https://github.com/VitorLourenco/codeslick2
- Issues: https://github.com/VitorLourenco/codeslick2/issues
- Email: [email protected]
What's New in v1.4 🚀
Terraform IaC Security Scanning (February 2026)
- Terraform Language Support - Full Infrastructure as Code security analysis
- 10 AWS Security Checks - S3 buckets (public ACL, encryption, versioning, logging) + IAM policies (wildcard actions/resources, privilege escalation)
- Multiline HCL Parsing - Correctly handles multiline
jsonencode()and nested objects - OWASP A01:2021 Compliance - Detects Broken Access Control in cloud infrastructure
- Pre-commit IaC Validation - Block insecure Terraform before deployment
- 304 Total Security Checks - Now supporting 6 languages
Example:
cs scan infrastructure/*.tf
# ✖ CRITICAL: S3 bucket has public ACL: "public-read"
# ✖ CRITICAL: IAM policy allows wildcard actions (Action: "*")
# ⚠ HIGH: S3 bucket does not have encryption enabled
# Exit code: 1 (blocked - 3 critical issues)Detected Terraform Vulnerabilities
| Check | Severity | OWASP | Description |
|-------|----------|-------|-------------|
| S3 Public ACL | CRITICAL | A01:2021 | Detects acl = "public-read" |
| S3 Encryption | HIGH | A02:2021 | Missing server-side encryption |
| S3 Versioning | MEDIUM | A09:2021 | No versioning enabled |
| S3 Logging | MEDIUM | A09:2021 | No access logs |
| IAM Wildcard Actions | CRITICAL | A01:2021 | Action = "*" detected |
| IAM Wildcard Resources | HIGH | A01:2021 | Resource = "*" detected |
| IAM Admin Policy | CRITICAL | A01:2021 | AdministratorAccess equivalent |
| IAM Privilege Escalation | CRITICAL | A01:2021 | Can grant self permissions |
What's New in v1.3 ⭐
Pass/Fail Thresholds + Test Execution Integration (February 2026)
--verifyFlag - Run security scan + tests in one command (both must pass)- Granular Thresholds - Configure exactly what blocks commits (CRITICAL only, HIGH+, max count, EPSS score)
- Path Exemptions - Exclude test files, vendor code, docs from threshold enforcement
- Auto-Detect Test Frameworks - Supports npm test, pytest, go test, maven, gradle
- Combined Pass/Fail - Exit code 0 only if BOTH security AND tests pass
- CLI Default: Enabled - Thresholds enforce by default (configurable in
.codeslick.json)
Example:
cs scan --verify # Run security scan + tests
# ✓ Analyzed 50 files (0 CRITICAL)
# ✓ Tests passed (127 tests, 0 failures)
# Exit code: 0 (commit allowed)v1.2 Features
- Go Language Support - Added comprehensive Go security analysis with 26 security checks
- AI-Generated Code Detection - Detects AI hallucinations and code smells in Go code
- 294 Total Security Checks - Now supporting 5 languages (JavaScript, TypeScript, Python, Java, Go)
- Race Condition Detection - Go-specific concurrency vulnerability detection
- TLS Security Checks - Detects InsecureSkipVerify and weak TLS configurations in Go
v1.1 Features
- Update Notifications - CLI notifies you when a new version is available
- Anonymous Telemetry - Usage stats for dashboard analytics (disable with
cs config set telemetry false) - Improved SSRF Detection - Internal API routes (
/api/...) no longer trigger false positives - Fixed Critical Sorting - CRITICAL issues now correctly appear first in reports
- Markdown Reports - Auto-generates detailed reports for large scans (>20 files or >30 issues)
v1.0 Features
- Staged Files by Default - Fast pre-commit scans (<1s for most commits)
- Quick Mode - Skip TypeScript type checking with
--quickfor even faster scans - Smart Output - Only shows CRITICAL and HIGH issues by default (use
--verbosefor all) - 294 Security Checks - OWASP Top 10:2025 compliant
Roadmap
v1.5 (Coming Q2 2026)
- More Terraform Providers - Azure (azurerm_), GCP (google_) resources
- Expanded IaC Coverage - EC2, RDS, Lambda, VPC security checks (15+ new)
- Custom Rule Configuration - Define your own security rules via YAML/JSON
- IDE Integration - VS Code extension with inline security hints
- Enhanced Auto-fix - More intelligent fix suggestions for complex issues
- Smart Exemptions - ML-based false positive detection
Made with security in mind by CodeSlick https://codeslick.dev