Skip to content

av sast scan

Run the full scan series over a local path and tier every finding REDYELLOWGREEN.

Terminal window
av sast scan [flags]

The binary ships as alertavuln; av is the common alias - they are interchangeable in every example.

av sast scan runs the full scan series over a local path. Each engine emits SARIF that is normalised into a single finding set and rendered as a table (or JSON with --format json).

Pass --project to also upload the findings to that project so they appear on the Code Scan page. The scan’s source repo and git ref are detected automatically from the scanned working tree’s git metadata; --repo and --ref override the detection. --no-upload keeps a scan local-only even when --project is set.

For CI gating, --fail-on makes the command exit non-zero when the worst finding is at or above the given tier.

Flag Default Description
--path . Path to scan
--format table Output format: table or json
--project - Project ID to upload findings to (omit for a local-only scan)
--repo auto-detected Source repo URL recorded as provenance on upload
--ref auto-detected Git ref recorded as provenance on upload
--no-upload false Scan locally only; do not upload even if --project is set
--fail-on none Exit non-zero if the worst finding is at or above the tier: red, yellow, or none

Scan the current directory with the full scan series:

Terminal window
av sast scan --path .

Gate a CI pipeline: exit non-zero if the worst finding is RED, with machine-readable output:

Terminal window
av sast scan --path . --fail-on red --format json
Code Meaning
0 Scan completed and no finding is at or above the --fail-on tier
1 Scan failed, or at least one finding is at or above the --fail-on tier
  • av sast findings - pull the consolidated findings the server holds for a project
  • av sast server-scan - scan a project’s connected repos on AlertaVuln’s infrastructure (Enterprise)