Running Scans Locally Using CLI

Section: Code AnalysisOrder: 320

Use the Noxtara CLI directly on your machine to scan code and mobile applications without setting up GitHub Actions.

Installation

Install the CLI globally using npm:

bash

npm install -g @noxtara/cli

Verify the installation:

bash

noxtara --version

Authentication

The CLI requires an API key to authenticate with Noxtara. You can provide this via:

Environment variable (recommended for local use):
bash
```
export NOXTARA_API_KEY="your-api-key-here"
```
Configuration file (recommended for projects): Create a noxtara.yaml file in your project root:
yaml
```
apiKey: "your-api-key-here"
baseUrl: "https://app.noxtara.com/api/main/client"
```

Running SCA/SAST Scans

Scan Current Directory

With a noxtara.yaml file:

yaml

scan:
  code:
    from: .

Run:

bash

noxtara scan

Scan Specific Directory

Without a config file, use command-line options:

bash

noxtara scan sca-sast --from ./src

Scan an Existing Archive

If you already have a zip or tar.gz file:

bash

noxtara scan sca-sast ./path/to/archive.zip

Update an Existing Entry

To update a previous scan instead of creating a new one:

bash

noxtara scan sca-sast --from . --entry-id existing-entry-id

Running Mobile Scans

Scan mobile application files (APK) for security vulnerabilities.

Basic Mobile Scan

With a noxtara.yaml file:

yaml

scan:
  mobile:
    file: ./app-release.apk

Run:

bash

noxtara scan

Command-Line Mobile Scan

bash

noxtara scan mobile --file ./app-release.apk

Update Existing Mobile Entry

bash

noxtara scan mobile --file ./app-release.apk --entry-id mobile-entry-123

Command-Line Options

Code Analysis Options

Option	Alias	Description	Example
`--from`	—	Directory to scan	`--from ./src`
`--name`	—	Custom name for the scan entry	`--name "Feature Branch Scan"`
`--entry-id`	`-e`	Update existing scan entry	`--entry-id abc123`
`--include`	—	Include only matching files (repeatable)	`--include "src/" --include "lib/"`
`--ignore`	`-i`	Exclude matching files (repeatable)	`--ignore ".test.ts" --ignore "docs/*"`
`--format`	—	Archive format: `zip` or `tar-gzip`	`--format tar-gzip`

Mobile Scanning Options

Option	Description	Example
`--file`	Path to APK file	`--file ./app.apk`
`--name`	Custom name for scan entry	`--name "Android Release"`
`--entry-id`	Update existing scan entry	`--entry-id mobile-123`

Advanced Examples

Scan with Include Patterns

Scan only specific directories:

bash

noxtara scan sca-sast --from . --include "src/**" --include "packages/**"

Scan with Multiple Ignore Patterns

Exclude common non-source directories:

bash

noxtara scan sca-sast --from . \
  --ignore "node_modules/**" \
  --ignore ".git/**" \
  --ignore "dist/**" \
  --ignore "*.min.js" \
  --ignore "coverage/**"

Create Named Scan Entry

Give your scan a descriptive name:

bash

noxtara scan sca-sast --from . --name "Release v2.5.0 Security Audit"

Use tar.gz Instead of zip

For better compression with large repositories:

bash

noxtara scan sca-sast --from . --format tar-gzip

Environment Variables Reference

Variable	Description	Example
`NOXTARA_API_KEY`	Your Noxtara API key	`nt_live_abc123...`
`NOXTARA_BASE_URL`	API base URL	`https://app.noxtara.com/api/main/client`
`NOXTARA_AUTO_PR`	Enable auto-PR (has no effect locally)	`true` or `false`

Output and Results

After running a scan:

The CLI outputs the scan entry ID
Results are available in the Noxtara dashboard
You can reference the entry ID in future scans with --entry-id

Example output:

Scan entry: my-project-2026-03-02T12-00-00
{
  data: {
    id: "vdyajvbNGRA9QuHmRCXtvt",
    status: "pending",
    name: "my-project-2026-03-02T12-00-00"
  }
}

Troubleshooting

Issue	Solution
`NOXTARA_API_KEY is required`	Set the API key via environment variable or `noxtara.yaml`
`No files found in git repository`	Run from a directory initialized with git, or specify a zip file
`No files to archive after applying ignore patterns`	Check that your include/ignore patterns are not too restrictive
`Cannot use both zip file and --from`	Provide either a zip file path OR use `--from`, not both

CI/CD Integration (Non-GitHub)

For GitLab, Bitbucket, or other CI systems, use the CLI directly:

yaml

# .gitlab-ci.yml example
security-scan:
  image: node:24
  script:
    - npm install -g @noxtara/cli
    - noxtara scan sca-sast --from . --entry-id $NOXTARA_ENTRY_ID
  variables:
    NOXTARA_API_KEY: $NOXTARA_API_KEY

Next Steps

View detailed scan results in the Noxtara dashboard
Configure ignore patterns to reduce noise from dependencies
Set up scheduled scans in your CI pipeline

Running Scans Locally Using CLI ​

Installation ​

Authentication ​

Running SCA/SAST Scans ​

Scan Current Directory ​

Scan Specific Directory ​

Scan an Existing Archive ​

Update an Existing Entry ​

Running Mobile Scans ​

Basic Mobile Scan ​

Command-Line Mobile Scan ​

Update Existing Mobile Entry ​

Command-Line Options ​

Code Analysis Options ​

Mobile Scanning Options ​

Advanced Examples ​

Scan with Include Patterns ​

Scan with Multiple Ignore Patterns ​

Create Named Scan Entry ​

Use tar.gz Instead of zip ​

Environment Variables Reference ​

Output and Results ​

Troubleshooting ​

CI/CD Integration (Non-GitHub) ​

Next Steps ​

Running Scans Locally Using CLI

Installation

Authentication

Running SCA/SAST Scans

Scan Current Directory

Scan Specific Directory

Scan an Existing Archive

Update an Existing Entry

Running Mobile Scans

Basic Mobile Scan

Command-Line Mobile Scan

Update Existing Mobile Entry

Command-Line Options

Code Analysis Options

Mobile Scanning Options

Advanced Examples

Scan with Include Patterns

Scan with Multiple Ignore Patterns

Create Named Scan Entry

Use tar.gz Instead of zip

Environment Variables Reference

Output and Results

Troubleshooting

CI/CD Integration (Non-GitHub)

Next Steps