nctl scan skills

[Experimental] scan agent skills

nctl scan skills [flags]

Examples

  # Basic scan with required resource and policy file
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml

  # Scan multiple skills
  nctl scan skills -r skills/skillA -r skills/skillB -p policies/skill-baseline.yaml

  # Scan with audit mode enabled (violations reported as warnings)
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml --audit-as-warn

  # Scan with detailed results for violating resources
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml --details

  # Generate a scan report in JSON format
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml -o json --scan-report scan-report.json

  # Output results to console in JSON
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml -o json

  # Save results to a file with default name (scan-report.json)
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml -o json --file

  # Disable colored output
  nctl scan skills -r path/to/skill-dir -p path/to/policy.yaml --no-color

  # Scan with only critical-severity policies
  nctl scan skills -r path/to/skill-dir -p path/to/policies/ --selector "severity=critical"

  # Scan with critical and high severity policies
  nctl scan skills -r path/to/skill-dir -p path/to/policies/ --selector "severity=critical" --selector "severity=high"

Options

      --audit-as-warn                 Report violations from policies in audit mode as warnings instead of failures
      --details                       Show result details for violating resources (default true)
      --exclude-files stringArray     Glob patterns to exclude from indicator content scanning (e.g. 'docs/*', 'CHANGELOG.md')
      --file string[="scan-report"]   Output file (if --file is used without a value, defaults to 'scan-report')
      --git-token string              Git authentication token (for Git URLs in --policies)
      --git-username string           Git username (for Git URLs in --policies)
  -h, --help                          help for skills
      --insecure                      allow connection to a Nirmata server with a insecure certificate (not recommended)
      --no-color                      disable the colors for the stdout reports
  -o, --output string                 Output format (text, json, yaml, scan-report, sarif) (default "text")
  -p, --policies strings              Path to policy files (optional; bundled defaults used when omitted)
      --publish                       Publish reports
      --publish-token string          scan reports publish token
      --remediate string              Remediate resources ('show', 'patch')
      --report-sourceid string        Add source id for report created for local scan
  -r, --resources strings             Path to resource files (local path, github URL)
      --risk-threshold int            Fail if aggregate risk score meets or exceeds this value (0 = disabled)
      --scan-report string            Output scan report file (in JSON format)
      --selector stringArray          Filter policies by annotation (key=value). Key is shorthand for policies.kyverno.io/{key}. Multiple selectors with the same key are OR'd; different keys are AND'd. Example: --selector severity=critical --selector severity=high
      --token string                  the Nirmata API Login Key (env NIRMATA_TOKEN)
      --url string                    the Nirmata server base URL (env NIRMATA_URL)

Options inherited from parent commands

  -v, --v Level   number for the log level verbosity

SEE ALSO

• nctl scan - Scan resources