Reference
CLI Reference
Every command DeployReady accepts — shell commands for scripting and CI, and the interactive prompt commands for working through findings — plus all flags, exit codes, and AI/config management.
DeployReady has two command surfaces. Shell commands are what you type in your terminal (deployready analyze, deployready init, …) — ideal for scripts and CI. The interactive prompt (the deployready › prompt you get when you launch a session) has its own short commands for stepping through a scan and fixing issues one at a time.
Global usage & options
Running deployready with no command launches the interactive session. Otherwise the shape is deployready <command> [options]. Most commands take an optional project path that defaults to the current directory (.).
# Launch the interactive session on the current directory
npx deployready@latest
# Or point it at a project, with or without a command
npx deployready@latest ./my-app
npx deployready@latest analyze ./my-appThese options work across the whole CLI:
| Option | Description |
|---|---|
-v, --verbose | Print verbose debug output. |
-V, --version | Print the installed DeployReady version and exit. |
-h, --help | Show help for the CLI or any command. |
Always run the latest
npx deployready@latestso you always run the newest version with nothing to install. If you've installed it globally, drop the prefix and just run deployready (update with npm i -g deployready@latest). See Installation for the options.Shell commands
deployready [path] · interactive (default)
The default command (alias: shell). Starts a guided, interactive session that stays open so you can scan, review findings, and apply fixes one at a time. New users get a numbered menu first — no command knowledge required.
npx deployready@latest # current directory
npx deployready@latest ./my-app # a specific project
npx deployready@latest interactive . # the explicit formdeployready analyze [path]
Run a single, non-interactive scan and print the results, then exit. This is the command for scripts and CI. Combine it with the flags below to control AI, dynamic testing, report output, and build-gating. See analyze flags for the full list.
# Full scan of the current project
npx deployready@latest analyze .
# CI-friendly: no AI, write a report, fail the build on critical findings
npx deployready@latest analyze ./my-app --no-ai --export --fail-on critical
# Machine-readable output for tooling
npx deployready@latest analyze . --json > report.jsondeployready init
Run the first-time setup wizard. It asks which AI model should power deeper analysis (Claude, OpenAI, or local Ollama) and stores your choice — and, for Claude/OpenAI, your API key — in ~/.deployready/config.json. Re-run it any time to switch providers or change a key. See Managing AI providers & config.
npx deployready@latest initdeployready report [path]
Re-run a scan and save a Markdown report (deployready-report.md) to the project root. This is a fast, AI-free shortcut equivalent to analyze --no-ai --export when all you want is the file.
npx deployready@latest report ./my-appdeployready config
Print the active configuration — the selected model, Ollama settings, scan ports, and whether each API key is set. Secret values are never printed; a configured key shows as «set».
$ npx deployready@latest config
{
"model": "claude",
"claudeApiKey": "«set»",
"openaiApiKey": null,
"ollamaPort": 11434,
"ollamaModel": "llama3",
"warnBeforeExternalSend": true,
"defaultPorts": [3000, 5000, 8000, 8080, 4000]
}analyze flags
All flags below apply to deployready analyze.
| Flag | Description |
|---|---|
-y, --yes | Auto-approve all prompts so the scan runs fully non-interactively. |
--no-dynamic | Skip live localhost testing. |
--no-ai | Skip AI analysis — run the static and dynamic checks with local results only. |
--aggressive | Enable aggressive dynamic tests, including a small request burst to probe rate limiting. Off by default. |
--export | Write deployready-report.md to the project root. |
--html | Write an HTML dashboard (deployready-report.html). |
--open | Open the HTML dashboard in your browser after the scan (implies --html). |
--json | Print a machine-readable JSON report to stdout (implies --yes; other logs are suppressed so stdout stays clean). |
--fail-on <severity> | Exit with code 2 if findings at or above this severity exist: critical | warning | info | none. Defaults to none. |
--baseline <file> | Gate only on findings that are NOT in the baseline file — existing issues are grandfathered, so the build fails only on new ones. |
--write-baseline <file> | Write the current findings to a baseline file and exit 0 (accept the current state as the baseline). |
--active | Run the active (authenticated) authorization tests. Requires --token; opt-in, consented, loopback-only, GET-only. See Active scan. |
--token <jwt> | Bearer JWT for the active scan — the token of a logged-in test user. |
--token-b <jwt> | A second user’s JWT, used to prove tenant / object-level isolation (IDOR/BOLA). |
Active (authenticated) scan
With your app running locally, --activelets DeployReady act as a logged-in user and try to break access control — the manual checks you'd otherwise do in Burp or Postman. It finds broken object-level authorization (IDOR/BOLA), broken tenant isolation, privilege escalation (a forged role: admin claim), and unverified JWTs (the server accepting an alg:none token).
# Act as one user, and add a second to test isolation
npx deployready@latest analyze . --active --token "<your-JWT>" --token-b "<second-user-JWT>"Need your token?
--active without --token and DeployReady prints step-by-step instructions for copying your JWT from the browser (DevTools → Network → the Authorization: Bearer … header). Tokens expire, so grab a fresh one if you start seeing 401s.Safe by construction
Exit codes
analyze uses distinct exit codes so CI can tell a policy failure apart from a tool crash. Pair them with --fail-on to gate deploys.
| Code | Meaning |
|---|---|
0 | Clean — no findings at or above the --fail-on threshold. |
1 | Tool error — the CLI threw while running. |
2 | Gate failed — findings at or above the threshold were found. |
- name: Production-readiness gate
run: npx deployready@latest analyze . --no-ai --export --fail-on criticalInteractive prompt commands
Launch a session with deployready. You'll see a numbered menu — pick 1 to scan right away, 2 to set up or change the AI model, or 4 to drop to the command prompt. At the deployready › prompt you can type any of the commands below. Commands that act on a finding take its number from the issues list.
Running a scan
| Command | Aliases | What it does |
|---|---|---|
scan | Run the full pipeline: parse → live tests → optional AI analysis. | |
parse | Static parse and vulnerability scan only (no live tests, no AI). | |
dynamic | live | Run live tests against your app on localhost (GET requests, with confirmation). |
ai | analyze | Send the redacted findings report to your AI model for deeper analysis. |
Reviewing findings
| Command | Aliases | What it does |
|---|---|---|
issues [crit|warn|info] | list, ls | List all findings, optionally filtered by severity. |
show <n> | Show full detail for finding n: severity, location, evidence, and the recommended fix. | |
score | Print the current 0–100 readiness score. | |
status | Show session state: target, whether it’s parsed, dynamic results, AI, and active model. |
Fixing issues
| Command | Aliases | What it does |
|---|---|---|
fix <n> | Interactive fix for finding n: a safe deterministic auto-fix, an AI-proposed diff you approve, or written guidance. A backup is made before any write, and the fix is auto-verified. | |
verify <n> | v | Re-run the check for a finding to confirm it’s resolved, without changing any files. |
done <n> | resolve | Manually mark a finding as fixed (the score updates live). |
ignore <n> | Mark a finding as ignored so it no longer counts against the score. |
Output & guidance
| Command | Aliases | What it does |
|---|---|---|
export [md|html|all] | Save the report — Markdown, the HTML dashboard, or both (default: all). | |
open | Write the HTML dashboard and open it in your browser. | |
deploy [platform] | With no platform, recommend a host for this project (stack, size, frontend/backend split, free tiers). With one, print a step-by-step guide: aws, do, vercel, netlify, cloudflare, render, railway, or fly. |
Session
| Command | Aliases | What it does |
|---|---|---|
menu | m | Open the guided menu — handy if you’re not sure what to do next. |
config | Show the active configuration (keys masked). | |
clear | cls | Clear the terminal screen. |
help | ? | List every interactive command. |
exit | quit, q | Leave the session. |
deployready › scan # run the full pipeline
deployready › issues crit # list only critical findings
deployready › show 1 # inspect the first finding
deployready › fix 1 # fix it (auto-fix or AI diff you approve)
deployready › verify 1 # confirm it’s resolved
deployready › export all # save Markdown + HTML report
deployready › exitManaging AI providers & config
DeployReady stores its settings in ~/.deployready/config.json, written with owner-only permissions (0600). AI is optional — the static and dynamic checks run fully without it. For an overview of providers and the privacy model, see Configure AI.
Switch provider, change your key, or change the model
There are four ways to change which model DeployReady uses:
- Re-run the wizard:
deployready initwalks you through picking a provider and entering a new key. - From inside a session: open the
menuand choose 2 — Set up or change the AI model. You can switch provider, paste a new key, or select an Ollama model without leaving the prompt. - Environment variable: set
ANTHROPIC_API_KEYorOPENAI_API_KEY. Env vars always take precedence over the config file and are never written to disk. - Edit the file: change values directly in
~/.deployready/config.json.
# Re-run setup to switch provider, model, or key
npx deployready@latest init
# Or provide a key via environment variable (overrides config, never stored)
export ANTHROPIC_API_KEY=sk-ant-... # macOS / Linux
$env:ANTHROPIC_API_KEY = "sk-ant-..." # Windows PowerShell
# Confirm what's active (keys are masked)
npx deployready@latest configKeys stay local
0600), and keys supplied via environment variables are never written to disk. Only redacted, structured findings are ever sent to a model — never your raw source code.Configuration fields
| Field | Default | Description |
|---|---|---|
model | claude | Which provider to use: claude, openai, or ollama. |
claudeApiKey | null | Anthropic API key. Prefer the ANTHROPIC_API_KEY env var. |
openaiApiKey | null | OpenAI API key. Prefer the OPENAI_API_KEY env var. |
ollamaPort | 11434 | Port where your local Ollama server is listening. |
ollamaModel | llama3 | Name of the local Ollama model to use. |
warnBeforeExternalSend | true | Ask for confirmation before sending findings to an external (cloud) model. |
defaultPorts | [3000, 5000, 8000, 8080, 4000] | Ports scanned to discover your running app for dynamic testing. |
Default models
claude-sonnet-4-6 and OpenAI uses gpt-4o-mini by default. Ollama runs whatever local model you select in ollamaModel, fully offline.