GCA · GETTING STARTED

    Quickstart

    Zero to first scan in four commands: init → scan → findings → report.

    Quickstart

    From zero to your first scan in four commands: initscanfindingsreport.

    This walkthrough assumes you've already installed Gadriel and authenticated. We'll scaffold a repository, run a scan, read the results, and generate a report bundle.


    1. Initialize the repo

    Run init from the root of the project you want to protect:

    gadriel code init

    This is the consolidated scaffold. It creates and wires up:

    • .security/ — where scan findings, SBOMs, and reports are written.
    • git hooks — the pre-commit gate that scans staged files before every commit.
    • MCP server config — so your AI assistant can read findings and drive fixes (see AI Coding Integration).
    • CLAUDE.md — guidance the assistant reads (part of the .claude/ scaffold).
    • .gitignore — entries so scan artifacts aren't accidentally committed.

    By default, init also syncs the OSV vulnerability database for the ecosystems it detects, so your first scan runs with CVE detection already on.

    Useful init flags

    FlagEffect
    --skip-claudeSkip the .claude/ scaffold (for non-Claude users).
    --forceOverwrite all Gadriel-owned files (prompts to confirm; add --yes to skip prompts).
    --upgradeMerge new settings into existing files, preserving your customizations.
    --add-missingAdd only missing files/keys; never modify anything that exists.
    --skip-hooksDon't install git hooks (CI-only setups).
    --skip-osv / --offlineSkip the OSV sync (air-gapped / CI that syncs separately).
    --platform <name>Scaffold for other assistants: cursor, windsurf, copilot, codex, jetbrains, claude-desktop.

    2. Run a scan

    gadriel code scan .

    Gadriel loads its rule corpus, auto-detects which of the 6 scan types apply, and writes results to .security/findings.json. A run looks like this:

      → loading rules from ~/.gadriel/cache/policies/... (source=vendored)
        loaded 2858 rule(s)
      → scanning .
        graph: 4 node(s) (0 dep node(s), 0 import edge(s) from lockfiles)
        SAST: workspace-aware (cross-file Python + JS/TS + Rust + Go taint enabled)
      ⚠ OSV data not available — CVE detection is DEGRADED (not GREEN).
      → Intercepted before commit: 100.0%
      ✓ SBOM emitted
          SPDX 2.3:        ./.security/sbom.spdx.json
          CycloneDX 1.5:   ./.security/sbom.cyclonedx.json
    
      ✓ scan complete — 1 finding(s)
        security risk (1): 0 critical, 0 high, 0 medium, 1 low, 0 info
        ⚠ 1 unverified high/critical-severity finding(s) at low confidence — review, not panic
        verdict:  PARTIAL · coverage DEGRADED (overall 8.95/10.0)
        scan types: secrets: 1
        written:  ./.security/findings.json
    

    Reading the verdict line

    verdict:  PARTIAL · coverage DEGRADED (overall 8.95/10.0)
    
    • verdict — the overall outcome from the 8-pillar score:
      • PASS — no policy violations; safe to commit.
      • PARTIAL — some controls not fully satisfied; review before committing.
      • FAIL — a blocking violation.
    • coverage — how complete the scan data was:
      • GREEN — every applicable scan type ran with full data.
      • DEGRADED — one or more scan types ran with reduced data (e.g. the OSV CVE database hasn't been synced, so CVE-dependent rules were skipped).
    • overall X/10.0 — the weighted pillar score (see Scoring & Verdicts).

    Common scan flags: --staged (scan only files staged for commit — the heart of the pre-commit gate), --fail-on <severity> (non-zero exit when a finding meets the threshold; hooks default to --fail-on critical), --layer l4 (attribute the scan to CI/CD and enable the git-history secret sweep), --offline (skip the OSV sync), and --format json. See the CLI Reference.


    3. Read the findings

    gadriel code findings
      findings: ./.security/findings.json
        • 1 total
      by risk: (severity × confidence)
        • low: 1
        ⚠ 1 unverified (high/critical severity but low confidence — review, not panic)
    
    ┌────────────────────┬───────────────────────┬──────────┬──────┬─────────┬────────┬──────┬────────────┐
    │ ID                 ┆ Risk                  ┆ Severity ┆ Tier ┆ Type    ┆ File   ┆ Line ┆ Excerpt    │
    ╞════════════════════╪═══════════════════════╪══════════╪══════╪═════════╪════════╪══════╪════════════╡
    │ CODE-W3-SECRET-056 ┆ low (1.9) ⚠UNVERIFIED ┆ high     ┆ LOW  ┆ secrets ┆ app.py ┆ 4    ┆ [REDACTED] │
    └────────────────────┴───────────────────────┴──────────┴──────┴─────────┴────────┴──────┴────────────┘
    

    Note the Risk column combines severity × confidence — a high-severity but low-confidence match is flagged ⚠UNVERIFIED ("review, not panic") rather than blocking you. This is central to Gadriel's false-positive prevention. Secret excerpts are always [REDACTED].

    For machine-readable output (the raw OCSF envelope), add --format json:

    gadriel code findings --format json

    The findings.json file itself carries the verdict, per-pillar scores, and each finding:

    {
    "schema_version": "1.1.0",
    "scan_types_run": ["sast", "secrets", "api", "container", "sca", "config"],
    "verdict": "PARTIAL",
    "overall_score": 8.95,
    "pillar_scores": {
    "security": 3.33, "compliance": 10.0, "safety": 10.0,
    "operational": 6.5, "finops": 10.0, "coherence": 10.0,
    "teamwork": 10.0, "bias": 10.0
    },
    "severity_counts": { "critical": 0, "high": 1, "medium": 0, "low": 1, "info": 0 },
    "findings": [ /* ... */ ]
    }

    Triage a finding

    Confirm a real issue, dismiss a false positive, or hand it to your AI agent:

    gadriel code fix CODE-W3-SECRET-056 --false-positive

    See False Positives for the full triage workflow.


    4. Generate a report

    Produce the browsable HTML report bundle plus the JSON payload:

    gadriel code report

    This writes a static HTML bundle to .security/reports/index.html (and report.json) plus, by default, an executive summary PDF. For auditor-ready compliance reports, target a framework:

    gadriel code report --compliance soc2 --format pdf
    gadriel code report --all-frameworks

    Frameworks include eu-ai-act, nist-ai-rmf, soc2, hipaa, pci-dss, and owasp-llm-top10. See Reports and Compliance.


    What's next