CLI Reference - Golf Documentation

Quick Reference

Command	Purpose
`golf-scanner audit`	Discover MCP servers and run a full security audit with risk scores
`golf-scanner scan`	List discovered MCP servers without running checks
`golf-scanner version`	Print version information
`golf-scanner help`	Show usage information

`audit`

Discover all MCP servers configured across your IDEs and run 20 security checks against each one. Produces a 0–100 risk score per server.

Syntax

golf-scanner audit [options]

Options

Flag	Default	Description
`--offline`	`false`	Skip network checks (OSV, GitHub, npm, PyPI, MCP Registry, OCI registries)
`--format`	`table`	Output format: `table` or `json`
`--json`	`false`	Shorthand for `--format json`
`--fail-on`		Exit code 1 if findings at or above severity: `note`, `medium`, `high`, `critical`
`--verbose`, `-v`	`false`	Show full finding details including remediation text
`--quiet`, `-q`	`false`	Show only the summary table (no per-server details)

Flag Interactions

--verbose and --quiet are mutually exclusive — using both produces an error
--json is shorthand for --format json — both do the same thing
--offline skips all Tier 2 checks (11 of 20 checks require network)

Examples

Full audit with all checks

golf-scanner audit

Offline only (no network requests)

golf-scanner audit --offline

Verbose with remediation details

golf-scanner audit --verbose

Summary table only

golf-scanner audit --quiet

CI/CD — fail on high or critical

golf-scanner audit --fail-on high --json

CI/CD — fail on any finding

golf-scanner audit --fail-on note --json

`scan`

List MCP server configurations discovered across your IDEs without running any security checks. Reads configuration files for Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, Kiro, and Antigravity.

Syntax

golf-scanner scan [options]

Options

Flag	Default	Description
`--format`	`table`	Output format: `table` or `json`
`--json`	`false`	Shorthand for `--format json`

Examples

List all discovered MCP servers

golf-scanner scan

JSON output for scripting

golf-scanner scan --json

`version`

Print the Golf Scanner version string.

Syntax

golf-scanner version

Example Output

golf-scanner v0.1.0

`help`

Show usage information for all commands.

Syntax

golf-scanner help
golf-scanner --help
golf-scanner -h

Environment Variables (Optional)

Golf Scanner works without any environment variables. These are optional and only affect online (Tier 2) checks:

Variable	Purpose
`GITHUB_TOKEN`	GitHub API authentication — increases rate limit from 60 to 5,000 requests/hour
`GOLF_GITHUB_TOKEN`	Fallback if `GITHUB_TOKEN` is not set

Set GITHUB_TOKEN when running online checks to avoid rate limiting on GitHub Trust checks:

export GITHUB_TOKEN=ghp_your_token_here
golf-scanner audit

Exit Codes

Code	Meaning
0	Success — audit completed, no threshold exceeded
1	No arguments provided, unknown command, `--fail-on` threshold exceeded, or `--verbose`/`--quiet` conflict
2	JSON marshaling error or invalid `--fail-on` severity value

Getting Started

Reference

​Quick Reference

​audit

​Syntax

​Options

​Flag Interactions

​Examples

​scan

​Syntax

​Options

​Examples

​version

​Syntax

​Example Output

​help

​Syntax

​Environment Variables (Optional)

​Exit Codes

Quick Reference

`audit`

Syntax

Options

Flag Interactions

Examples

`scan`

Syntax

Options

Examples

`version`

Syntax

Example Output

`help`

Syntax

Environment Variables (Optional)

Exit Codes