> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Quick Start

> Install Golf Scanner and run your first security audit in 2 minutes

This guide walks you through installing Golf Scanner and running your first security audit. By the end, you'll have a risk score for every MCP server configured on your machine.

## What You'll Learn

* How to install Golf Scanner
* How to audit your MCP servers with a single command
* How to interpret risk scores and findings
* How to use JSON output for CI/CD pipelines

## Prerequisites

* macOS or Linux
* Homebrew (recommended) or Go 1.23+

<Steps>
  <Step title="Install Golf Scanner">
    <Tabs>
      <Tab title="Homebrew (recommended)">
        ```bash theme={null}
        brew install golf-mcp/tap/golf-scanner
        ```
      </Tab>

      <Tab title="Go Install">
        ```bash theme={null}
        go install github.com/golf-mcp/golf-scanner/cmd/golf-scanner@latest
        ```
      </Tab>

      <Tab title="Binary Download">
        Download the latest release from [GitHub Releases](https://github.com/golf-mcp/golf-scanner/releases) and add it to your `PATH`.
      </Tab>
    </Tabs>

    Verify the installation:

    ```bash theme={null}
    golf-scanner version
    ```

    **Checkpoint**: You see a version string like `golf-scanner v0.1.0`.
  </Step>

  <Step title="Run a Security Audit">
    Run the audit command — it discovers all MCP servers configured across your IDEs and checks each one against 20 security checks:

    ```bash theme={null}
    golf-scanner audit
    ```

    Golf Scanner finds configuration files for Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, Kiro, and Antigravity, then runs security checks

    **Checkpoint**: You see a summary table with scores and severity counts for each server.
  </Step>

  <Step title="Read the Results">
    The audit output shows:

    * **Score**: 0–100 risk score (higher is better). Hard-capped at 30 for critical findings, 59 for high findings.
    * **Risk level**: Low (≥60), Moderate (>30), or High (≤30)
    * **Severity counts**: Number of critical, high, medium, and pass findings per server

    For detailed findings including remediation advice:

    ```bash theme={null}
    golf-scanner audit --verbose
    ```

    For just the summary table:

    ```bash theme={null}
    golf-scanner audit --quiet
    ```

    **Checkpoint**: You can identify which servers need attention based on their score and severity.
  </Step>
</Steps>

## Next Steps

<CardGroup cols={2}>
  <Card title="CLI Reference" icon="terminal" href="/scanner/cli-reference">
    All commands, flags, and options
  </Card>

  <Card title="Understanding Results" icon="chart-simple" href="/scanner/understanding-results">
    How scores, severities, and server types work
  </Card>

  <Card title="Security Checks" icon="shield-halved" href="/scanner/security-checks">
    What each of the 20 checks detects
  </Card>
</CardGroup>