CodeSlick CLI tool for pre-commit security scanning with Terraform IaC support
npm install codeslick-cliCodeSlick CLI - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, Go, and Terraform.
Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.
- Local Security Scanning - No API calls required, fully offline
- Pre-commit Hook Integration - Automatically scans staged files before each commit
- Fast Analysis - <3s for 10 files using CodeSlick's analyzer engine
- Multi-language Support - JavaScript, TypeScript, Python, Java, Go, Terraform
- IaC Security - Detects AWS misconfigurations in Terraform (S3, IAM, and more)
- Configurable Thresholds - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
- Beautiful Terminal Output - Color-coded results with CVSS scores and fix suggestions
- CI/CD Ready - JSON output mode for automation
- OWASP Top 10:2025 Compliant - 304 comprehensive security checks
Git is required - CodeSlick CLI works with any git repository (local or remote):
``bash`Initialize git in your project (if not already done)
git init
Note: You do NOT need GitHub, GitLab, or any remote hosting. CodeSlick works with local git repositories, GitHub repositories, GitLab, Bitbucket, or any git-based workflow.
System Requirements:
- Node.js 18.0.0 or higher
- Git (any version)
- macOS, Linux, or Windows
Run CodeSlick directly without installation:
`bash`
npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scan
Benefits:
- ✅ No permission issues
- ✅ Always runs latest version
- ✅ Works on all systems
- ✅ No global pollution
`bash`
npm install -g codeslick-cli
After installation, you can use either codeslick or the shorter alias cs:
`bash`
codeslick --versionor
cs --version
Both commands work identically. Use cs for faster typing!
Note: On macOS/Linux, you may encounter permission errors. See Troubleshooting for solutions.
`bash`
npm install --save-dev codeslick-cli
npx codeslick-cli init
`bash
cd your-project/
$3
bash
npx codeslick-cli init
or if you installed globally:
codeslick init # or: cs init
`This will:
- Create
configuration file
- Install pre-commit hook in .git/hooks/
- Configure automatic scanning$3
bash
npx codeslick-cli config set severity critical # Block only CRITICAL issues
npx codeslick-cli config set severity high # Block HIGH+ issues (recommended)
npx codeslick-cli config set severity medium # Block MEDIUM+ issues (default)
`$3
bash
git add .
git commit -m "Add new feature"
`CodeSlick will automatically scan staged files. If vulnerabilities are found that meet your severity threshold, the commit will be blocked.
Commands
$3
Initialize CodeSlick in your repository.
Usage:
bash
codeslick init [options]
`Options:
-
- Force re-initialization (overwrite existing config)
- --severity, -s - Set default severity threshold (critical|high|medium|low)Examples:
`bash
codeslick init # Initialize with defaults
codeslick init --force # Overwrite existing configuration
codeslick init --severity high # Initialize with HIGH severity threshold
`---
$3
Scan files for security vulnerabilities.
Usage:
bash
codeslick scan [files...] [options]
`Options:
-
- Scan all files in repository (overrides default staged-only behavior)
- --quick, -q - Quick scan - skip deep TypeScript type checking for speed
- --verbose, -v - Show all issues including MEDIUM and LOW (default: HIGH+ only)
- --severity, -s - Override severity threshold (critical|high|medium|low)
- --fix - Auto-apply fixes where possible (experimental)
- --json - Output results as JSON (for CI/CD)
- --verify - NEW: Run security scan + tests (combined pass/fail) ⭐
- --test-command - Custom test command (e.g., "npm test", "pytest")Default Behavior: Scans only staged files for fast pre-commit feedback.
Examples:
`bash
codeslick scan # Scan staged files (default)
codeslick scan --all # Scan entire repository
codeslick scan --quick # Fast scan (skip TypeScript type checking)
codeslick scan --verbose # Show all issues (including MEDIUM/LOW)
codeslick scan src/*/.js # Scan specific files/patterns
codeslick scan --json # JSON output (for CI/CD)
codeslick scan --severity high # Temporarily override thresholdNEW: Test Execution Integration (v1.3)
codeslick scan --verify # Run security scan + tests (both must pass)
codeslick scan --verify --test-command "pytest --cov" # Custom test command
`---
$3
Manage CodeSlick configuration.
Usage:
bash
codeslick config [key] [value]
`Actions:
-
- Display all configuration values
- get - Get a specific configuration value
- set - Set a configuration valueConfiguration Keys:
-
severity - Severity threshold (critical|high|medium|low)
- autofix - Enable/disable auto-fix (true|false)
- languages - Comma-separated list of languages
- exclude - Comma-separated list of exclude patternsExamples:
`bash
codeslick config list # Show all config
codeslick config get severity # Get current severity
codeslick config set severity critical # Set severity to CRITICAL only
codeslick config set autofix true # Enable auto-fix
codeslick config set languages js,ts,py # Enable only JS, TS, Python
`Command Aliases
If installed globally, you can use the shorter
alias:| Long Command | Short Alias | Description |
|--------------|-------------|-------------|
|
codeslick init | cs init | Initialize CodeSlick |
| codeslick scan | cs scan | Scan files |
| codeslick config | cs config | Manage config |
| codeslick auth | cs auth | Authenticate |
| codeslick --help | cs --help | Show help |
| codeslick --version | cs --version | Show version |Examples (global installation only):
`bash
These only work after global installation:
codeslick scan --staged
cs scan --stagedIf using npx, use:
npx codeslick-cli scan --staged
`Note: The
and cs commands only work after global installation. If using npx, always use npx codeslick-cli .Configuration
The
.codeslick.json file controls how CodeSlick scans your code.$3
`json
{
"version": "1.0",
"severity": "critical",
"autofix": false,
"exclude": [
"node_modules/**",
"dist/**",
"build/**",
"coverage/**",
"*/.test.{js,ts}",
"*/.spec.{js,ts}",
"/test/",
"/tests/"
],
"languages": ["javascript", "typescript", "python", "java", "go", "terraform"], // NEW: Pass/Fail Thresholds (v1.3)
"thresholdEnabled": true,
"thresholdBlockCritical": true,
"thresholdBlockHigh": false,
"thresholdMaxVulnerabilities": 50,
"thresholdMaxEpss": 70,
"thresholdExemptPaths": ["/__tests__/", "vendor/**"],
// NEW: Test Execution Integration (v1.3)
"testCommand": "npm test",
"testTimeout": 300000
}
`$3
| Key | Type | Default | Description |
|-----|------|---------|-------------|
|
| string | "1.0" | Configuration version (do not modify) |
| severity | string | "critical" | Severity threshold: critical, high, medium, low |
| autofix | boolean | false | Enable auto-fix (experimental) |
| exclude | string[] | See above | Glob patterns to exclude from scanning |
| languages | string[] | All | Languages to scan: javascript, typescript, python, java, go, terraform |
| telemetry | boolean | true | Enable anonymous usage analytics |
| Thresholds (v1.3) | | | |
| thresholdEnabled | boolean | true | Enable pass/fail threshold enforcement |
| thresholdBlockCritical | boolean | true | Block on CRITICAL vulnerabilities |
| thresholdBlockHigh | boolean | false | Block on HIGH severity vulnerabilities |
| thresholdMaxVulnerabilities | number | 50 | Max total vulnerabilities allowed |
| thresholdMaxEpss | number | 70 | Max EPSS score (0-100, exploitability %) |
| thresholdExemptPaths | string[] | [] | Glob patterns exempt from thresholds |
| Test Execution (v1.3) | | | |
| testCommand | string | Auto-detect | Test command to run with --verify flag |
| testTimeout | number | 300000 | Test execution timeout (milliseconds) |$3
| Threshold | Blocks On | Use Case |
|-----------|-----------|----------|
|
critical | CRITICAL only | Minimum protection (fastest) |
| high | CRITICAL + HIGH | Recommended for most projects |
| medium | CRITICAL + HIGH + MEDIUM | Strict security requirements |
| low | All issues | Maximum security (slowest) |Security Checks
CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.
$3
| Language | Security Checks | Key Detections |
|----------|-----------------|----------------|
| JavaScript | 28 checks | SQL injection, XSS, eval(), dangerous APIs |
| TypeScript | 56 checks | Type errors, property validation, AI code |
| Python | 47 checks | Django/Flask security, pickle, exec(), secrets |
| Java | 32 checks | Log4j, Spring Security, SQL injection, deserialization |
| Go | 26 checks | SQL injection, command injection, TLS misconfig, race conditions |
| Terraform | 10 checks | S3 public ACL, IAM wildcards, encryption, versioning, logging |
Total: 304 comprehensive security checks
$3
CodeSlick CLI is 95% compliant with OWASP Top 10:2025:
- A01:2025 - Broken Access Control
- A02:2025 - Cryptographic Failures
- A03:2025 - Injection
- A04:2025 - Insecure Design
- A05:2025 - Security Misconfiguration
- A06:2025 - Vulnerable and Outdated Components
- A07:2025 - Identification and Authentication Failures
- A08:2025 - Software and Data Integrity Failures
- A09:2025 - Security Logging and Monitoring Failures
- A10:2025 - Server-Side Request Forgery (SSRF)
CI/CD Integration
Use CodeSlick CLI in your CI/CD pipeline with JSON output mode.
$3
`yaml
name: Security Scan
on: [push, pull_request]jobs:
codeslick:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 18
# Option 1: Security scan only
- run: npx codeslick-cli scan --json > results.json
# Option 2: Security scan + tests (v1.3) ⭐
- run: npx codeslick-cli scan --verify
- uses: actions/upload-artifact@v3
if: always()
with:
name: codeslick-results
path: results.json
`$3
yaml
codeslick:
image: node:18
script:
- npx codeslick-cli scan --json > results.json
artifacts:
when: always
paths:
- results.json
`$3
groovy
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'npx codeslick-cli scan --json > results.json'
}
}
}
post {
always {
archiveArtifacts artifacts: 'results.json'
}
}
}
`Skipping the Pre-commit Hook
If you need to commit without scanning (not recommended):
bash
git commit --no-verify -m "Emergency hotfix"
`Or temporarily disable:
bash
rm .git/hooks/pre-commit
Make your commits
codeslick init --force # Re-install hook
`Troubleshooting
$3
Problem: Running
in a non-git directory.Why this happens: CodeSlick CLI requires git to:
- Install pre-commit hooks in
.git/hooks/ directory
- Track staged files for scanning
- Work with your existing git workflowSolution: Initialize git first:
`bash
Initialize git in your project
git initNow run CodeSlick init
npx codeslick-cli init
`Note: You do NOT need GitHub or any remote repository. CodeSlick works with local git repositories.
$3
Problem: Running
with no staged files.Why this happens: By default, CodeSlick scans only staged files for fast pre-commit feedback.
Solutions:
`bash
Option 1: Stage files first
git add
codeslick scanOption 2: Scan entire repository
codeslick scan --allOption 3: Scan specific path
codeslick scan src/
`$3
Problem: Hook installed but not executing.
Solution: Ensure hook is executable (Unix):
bash
chmod +x .git/hooks/pre-commit
`Solution: Re-install hook:
bash
codeslick init --force
`$3
Problem: Permission denied when installing globally:
bash
npm error code EACCES
npm error syscall mkdir
npm error path /usr/local/lib/node_modules/codeslick-cli
`✅ Solution 1 - Use
(Recommended - No installation needed):
`bash
npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scan
`Solution 2 - Fix npm permissions (Best long-term):
bash
mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
npm install -g codeslick-cli
`Solution 3 - Use sudo (Not recommended):
bash
sudo npm install -g codeslick-cli
`$3
Problem: CLI not installed globally or not in PATH.
Solution: Install globally:
bash
npm install -g codeslick-cli
`Solution: Use npx (no install required):
bash
npx codeslick-cli init
npx codeslick-cli scan
`$3
Problem: Scanning takes >5s for small projects.
Solution: Exclude unnecessary directories:
bash
codeslick config set exclude "node_modules/,dist/,coverage/**"
`$3
Problem: Legitimate code flagged as vulnerable.
Solution: Adjust severity threshold:
bash
codeslick config set severity high # Only block HIGH+ issues
`Solution: Exclude specific files:
bash
codeslick config set exclude "test/,migrations/"
`Performance
Typical scan times on a 2020 MacBook Pro:
| Files | Languages | Time |
|-------|-----------|------|
| 10 | Mixed | <3s |
| 50 | Mixed | <10s |
| 100 | Mixed | <20s |
| 500 | Mixed | <60s |
Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
License
MIT License - see LICENSE for details.
Support
- Website: https://codeslick.dev
- GitHub: https://github.com/VitorLourenco/codeslick2
- Issues: https://github.com/VitorLourenco/codeslick2/issues
- Email: support@codeslick.dev
What's New in v1.4 🚀
Terraform IaC Security Scanning (February 2026)
- Terraform Language Support - Full Infrastructure as Code security analysis
- 10 AWS Security Checks - S3 buckets (public ACL, encryption, versioning, logging) + IAM policies (wildcard actions/resources, privilege escalation)
- Multiline HCL Parsing - Correctly handles multiline
and nested objects
- OWASP A01:2021 Compliance - Detects Broken Access Control in cloud infrastructure
- Pre-commit IaC Validation - Block insecure Terraform before deployment
- 304 Total Security Checks - Now supporting 6 languagesExample:
`bash
cs scan infrastructure/*.tf
✖ CRITICAL: S3 bucket has public ACL: "public-read"
✖ CRITICAL: IAM policy allows wildcard actions (Action: "*")
⚠ HIGH: S3 bucket does not have encryption enabled
Exit code: 1 (blocked - 3 critical issues)
`$3
| Check | Severity | OWASP | Description |
|-------|----------|-------|-------------|
| S3 Public ACL | CRITICAL | A01:2021 | Detects
|
| S3 Encryption | HIGH | A02:2021 | Missing server-side encryption |
| S3 Versioning | MEDIUM | A09:2021 | No versioning enabled |
| S3 Logging | MEDIUM | A09:2021 | No access logs |
| IAM Wildcard Actions | CRITICAL | A01:2021 | Action = "*" detected |
| IAM Wildcard Resources | HIGH | A01:2021 | Resource = "*" detected |
| IAM Admin Policy | CRITICAL | A01:2021 | AdministratorAccess equivalent |
| IAM Privilege Escalation | CRITICAL | A01:2021 | Can grant self permissions |---
What's New in v1.3 ⭐
Pass/Fail Thresholds + Test Execution Integration (February 2026)
-
--verify Flag - Run security scan + tests in one command (both must pass)
- Granular Thresholds - Configure exactly what blocks commits (CRITICAL only, HIGH+, max count, EPSS score)
- Path Exemptions - Exclude test files, vendor code, docs from threshold enforcement
- Auto-Detect Test Frameworks - Supports npm test, pytest, go test, maven, gradle
- Combined Pass/Fail - Exit code 0 only if BOTH security AND tests pass
- CLI Default: Enabled - Thresholds enforce by default (configurable in .codeslick.json)Example:
`bash
cs scan --verify # Run security scan + tests
✓ Analyzed 50 files (0 CRITICAL)
✓ Tests passed (127 tests, 0 failures)
Exit code: 0 (commit allowed)
`$3
- Go Language Support - Added comprehensive Go security analysis with 26 security checks
- AI-Generated Code Detection - Detects AI hallucinations and code smells in Go code
- 294 Total Security Checks - Now supporting 5 languages (JavaScript, TypeScript, Python, Java, Go)
- Race Condition Detection - Go-specific concurrency vulnerability detection
- TLS Security Checks - Detects InsecureSkipVerify and weak TLS configurations in Go
$3
- Update Notifications - CLI notifies you when a new version is available
- Anonymous Telemetry - Usage stats for dashboard analytics (disable with
)
- Improved SSRF Detection - Internal API routes (/api/...) no longer trigger false positives
- Fixed Critical Sorting - CRITICAL issues now correctly appear first in reports
- Markdown Reports - Auto-generates detailed reports for large scans (>20 files or >30 issues)$3
- Staged Files by Default - Fast pre-commit scans (<1s for most commits)
- Quick Mode - Skip TypeScript type checking with
--quick for even faster scans
- Smart Output - Only shows CRITICAL and HIGH issues by default (use --verbose` for all)---
Made with security in mind by CodeSlick
https://codeslick.dev