> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# CLI Reference

> Complete command reference for Golf Scanner including all commands, flags, environment variables, and exit codes

## Quick Reference

| Command                | Purpose                                                             |
| ---------------------- | ------------------------------------------------------------------- |
| `golf-scanner audit`   | Discover MCP servers and run a full security audit with risk scores |
| `golf-scanner scan`    | List discovered MCP servers without running checks                  |
| `golf-scanner version` | Print version information                                           |
| `golf-scanner help`    | Show usage information                                              |

***

## `audit`

Discover all MCP servers configured across your IDEs and run 20 security checks against each one. Produces a 0–100 risk score per server.

### Syntax

```bash theme={null}
golf-scanner audit [options]
```

### Options

| Flag              | Default | Description                                                                        |
| ----------------- | ------- | ---------------------------------------------------------------------------------- |
| `--offline`       | `false` | Skip network checks (OSV, GitHub, npm, PyPI, MCP Registry, OCI registries)         |
| `--format`        | `table` | Output format: `table` or `json`                                                   |
| `--json`          | `false` | Shorthand for `--format json`                                                      |
| `--fail-on`       |         | Exit code 1 if findings at or above severity: `note`, `medium`, `high`, `critical` |
| `--verbose`, `-v` | `false` | Show full finding details including remediation text                               |
| `--quiet`, `-q`   | `false` | Show only the summary table (no per-server details)                                |

### Flag Interactions

* `--verbose` and `--quiet` are **mutually exclusive** — using both produces an error
* `--json` is shorthand for `--format json` — both do the same thing
* `--offline` skips all Tier 2 checks (11 of 20 checks require network)

### Examples

```bash title="Full audit with all checks" theme={null}
golf-scanner audit
```

```bash title="Offline only (no network requests)" theme={null}
golf-scanner audit --offline
```

```bash title="Verbose with remediation details" theme={null}
golf-scanner audit --verbose
```

```bash title="Summary table only" theme={null}
golf-scanner audit --quiet
```

```bash title="CI/CD — fail on high or critical" theme={null}
golf-scanner audit --fail-on high --json
```

```bash title="CI/CD — fail on any finding" theme={null}
golf-scanner audit --fail-on note --json
```

***

## `scan`

List MCP server configurations discovered across your IDEs without running any security checks. Reads configuration files for Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, Kiro, and Antigravity.

### Syntax

```bash theme={null}
golf-scanner scan [options]
```

### Options

| Flag       | Default | Description                      |
| ---------- | ------- | -------------------------------- |
| `--format` | `table` | Output format: `table` or `json` |
| `--json`   | `false` | Shorthand for `--format json`    |

### Examples

```bash title="List all discovered MCP servers" theme={null}
golf-scanner scan
```

```bash title="JSON output for scripting" theme={null}
golf-scanner scan --json
```

***

## `version`

Print the Golf Scanner version string.

### Syntax

```bash theme={null}
golf-scanner version
```

### Example Output

```
golf-scanner v0.1.0
```

***

## `help`

Show usage information for all commands.

### Syntax

```bash theme={null}
golf-scanner help
golf-scanner --help
golf-scanner -h
```

***

## Environment Variables (Optional)

Golf Scanner works without any environment variables. These are optional and only affect online (Tier 2) checks:

| Variable            | Purpose                                                                         |
| ------------------- | ------------------------------------------------------------------------------- |
| `GITHUB_TOKEN`      | GitHub API authentication — increases rate limit from 60 to 5,000 requests/hour |
| `GOLF_GITHUB_TOKEN` | Fallback if `GITHUB_TOKEN` is not set                                           |

Set `GITHUB_TOKEN` when running online checks to avoid rate limiting on GitHub Trust checks:

```bash theme={null}
export GITHUB_TOKEN=ghp_your_token_here
golf-scanner audit
```

***

## Exit Codes

| Code | Meaning                                                                                                   |
| ---- | --------------------------------------------------------------------------------------------------------- |
| 0    | Success — audit completed, no threshold exceeded                                                          |
| 1    | No arguments provided, unknown command, `--fail-on` threshold exceeded, or `--verbose`/`--quiet` conflict |
| 2    | JSON marshaling error or invalid `--fail-on` severity value                                               |