Product
Introducing Webhook Events for Alert Changes
Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.
By Phil Gates-Idem -  Nov 21, 2025
🚀 DAY 5 OF LAUNCH WEEK:Introducing Webhook Events for Alert Changes.Learn more →
@eurekadevsecops/radar
Advanced tools
Radar CLI
One command. Complete AppSec coverage.
Overview
Radar CLI is a command-line tool that orchestrates multiple application security scanners — for code, dependencies, containers, and secrets — in one unified package. We've put a lot of effort into making Radar CLI easy to use for developers and easy to integrate into CI/CD pipelines. Check out our accompanying GitHub Action for Radar CLI.
With Radar CLI, you can:
- Run SAST, SCA, container, and secret scanning locally or in CI/CD pipelines.
- Generate unified SARIF reports compatible with industry-standard security and vulnerability analysis tools.
- Optionally upload results to Eureka ASPM for centralized tracking, deduplication, and prioritization.
Telemetry is off by default — nothing is uploaded unless you explicitly enable it.
Requirements
- Node.js 22.17.0 or higher
- Docker (for containerized scanners)
Installation
Install globally using npm:
npm i -g @eurekadevsecops/radar
Verify the installation:
radar --version
Getting Started
Run the CLI to view available commands:
radar
Example output:
COMMANDS
help display help
scan scan for vulnerabilities
scanners display available scanners
You can view help for any command:
radar help scan
Running a Scan
To scan the current working directory:
radar scan
You can also specify scanners to use:
radar scan -s opengrep,gitleaks,grype
Output a SARIF report:
radar scan -s opengrep,gitleaks,grype -o report.sarif
Supported Scanners
All scanners in Radar are fully containerized for consistency and isolation. When you run a scan, Radar CLI automatically launches the corresponding scanner inside a Docker container. This ensures clean, reproducible results without needing to install each scanner locally. A working Docker Engine is required to run Radar scanners, and the container images for all supported scanners are publicly available on the GitHub Container Registry.
| By Scanner | Categories | Description |
|---|---|---|
| Dep-Scan | SCA | OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization. |
| Gitleaks | Secrets | Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens. |
| Grype | SCA, Container | Scans the contents of a container image or filesystem to find known vulnerabilities. Find vulnerabilities for language-specific packages and major operating system packages. Supports Docker, OCI and Singularity image formats. |
| Opengrep | SAST | Opengrep is an ultra-fast static code analysis engine to find security issues in code. Opengrep supports 30+ languages. |
| Veracode SCA | SCA | Effectively identify open-source risks with unmatched precision, ensuring secure and compliant code. Leverages a proprietary database to accurately and promptly detect new vulnerabilities. |
Scanners grouped by category:
| By Category | Description | Scanners |
|---|---|---|
| SAST | Detects insecure code patterns | Opengrep |
| Secrets | Finds hardcoded credentials | Gitleaks |
| SCA | Detects vulnerable package dependencies | Veracode SCA, Grype, Dep-Scan |
| Container | Scans Docker, OCI, and Singularity image formats | Grype |
Veracode SCA (formerly SourceClear) scanner requires the SRCCLR_API_TOKEN environment variable. If not present or valid, scanning with Veracode SCA will not work. Read more about it in Veracode SCA online documentation.
More on the radar scan command
USAGE
radar scan [OPTIONS] [TARGET]
Scans your source code and dependencies for vulnerabilities. If no target is specified, the current working directory is scanned.
OPTIONS
| Option | Description |
|---|---|
-c, --categories | List of scanner categories (e.g. sast, sca, secrets). |
-s, --scanners | Comma-separated list of scanners to run. Use radar scanners to list available ones. |
-o, --output | Output findings into a SARIF file. |
-d, --debug | Log detailed debug info to stdout. |
-q, --quiet | Suppress stdout logging (except errors). |
-f, --format | Output format for severity display: security (high/moderate/low) or sarif (error/warning/note). |
-e, --escalate | Treat specified lower severities as high (e.g. --escalate=moderate,low). |
-l, --local | Run a local scan (don't upload scan findings to Eureka). |
PARAMETERS
| Parameter | Description |
|---|---|
TARGET | (Optional) Path to scan. Defaults to current directory. |
Category and Scanner Selection
--categorieslets you run all scanners in one or more categories. Example:--categories=sca,sast--scannerslets you choose specific scanners by name. Example:--scanners=opengrep,depscan- Both can be combined — Radar CLI will run scanners that match both filters.
Severity Formats
| Format | Example Severities |
|---|---|
security | high / moderate / low |
sarif | error / warning / note |
You can also escalate severities:
# Treat moderates and lows as highs
radar scan -e moderate,low
Or:
# Treat warnings and notes as errors
radar scan -f sarif -e warning,note
Exit Codes
An exit code of 0 means the scan passed with no issues. Any other code means the scan failed — either due to new vulnerabilities found or an error during the scanning process.
| Code | Meaning |
|---|---|
0 | Clean and successful scan. |
1 | Invalid command, arguments, or options. |
8–15 | New vulnerabilities found. |
>=16 | Aborted due to unexpected error. |
Examples
Scan current directory:
radar scan
Scan a specific path:
radar scan /my/repo/dir
Save findings into a SARIF file:
radar scan -o report.sarif
Run only dependency and code scanners:
radar scan -c sca,sast
Run specific scanners:
radar scan -s depscan,opengrep
Enable debug logs:
radar scan --debug
Quiet mode (errors only):
radar scan --quiet
Display findings in SARIF-style severities:
radar scan -f sarif
Treat moderates and lows as highs:
radar scan -e moderate,low
Example Workflows
Local Scan (no uploads)
Runs entirely on your machine — by default, Radar CLI doesn’t upload any findings. Your vulnerabilities stay local and private.
radar scan -s opengrep,gitleaks,grype -o report.sarif
Upload Findings to Eureka ASPM
See all findings in one place with deduplication, trend tracking, and risk prioritization. To upload results to Eureka ASPM, provide your API credentials via two environment variables: EUREKA_AGENT_TOKEN (your API token) and EUREKA_PROFILE (your profile ID). When these are set, Radar CLI automatically uploads results after each scan — letting you view your full scan history and all findings in the Eureka ASPM Dashboard.
export EUREKA_AGENT_TOKEN=<your token>
export EUREKA_PROFILE=<your profile ID>
radar scan -s opengrep,gitleaks,grype
NOTE: To prevent Radar CLI from uploading scan findings even when you have EUREKA_AGENT_TOKEN and EUREKA_PROFILE set, you can pass the -l/--local option on the command line.
Why Upload Findings to Eureka ASPM?
Eureka ASPM extends Radar CLI with powerful visibility and collaboration features:
- Single Source of Truth: Aggregate findings from all scanners and repos in one place.
- Less Noise, More Signal: Automatically de-duplicate findings and prioritize risks contextually.
- Faster Fixes: See ownership, severity, and remediation guidance for each issue.
- Track Progress: View how your project’s security posture improves over time.
- Free for Open Source: Open source projects get full access at no cost.
Sign up for a free account at eurekadevsecops.com
Telemetry & Privacy
Telemetry is off by default. Radar does not send any data externally unless you explicitly provide:
EUREKA_AGENT_TOKENEUREKA_PROFILE
When provided:
- Findings are securely uploaded to Eureka ASPM
- You gain dashboards, trend analysis, and contextual prioritization
When omitted:
- Scans remain fully local
🧰 Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
❌ report.sarif not found | Scan failed or invalid scanner list | Check scanner names and ensure Docker is running |
| ⚠️ No findings uploaded | Missing or invalid token/profile | Set EUREKA_AGENT_TOKEN and EUREKA_PROFILE |
🧱 radar: command not found | CLI not installed globally | Run npm i -g @eurekadevsecops/radar again |
Contributing
Contributions are welcome! See our CONTRIBUTING.md for setup and development guidelines.
License
Radar CLI is licensed under the terms of the GPL v3 License — © Eureka DevSecOps Inc.
Support
- Issues & feature requests: GitHub Issues
- Security: security@eurekadevsecops.com
FAQs
Radar is an open-source orchestrator of security scanners.
We found that @eurekadevsecops/radar demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 01 Nov 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ENISA Becomes a CVE Root, Expanding Its Role in Europe’s Vulnerability Ecosystem
ENISA has become a CVE Program Root, giving the EU a central authority for coordinating vulnerability reporting, disclosure, and cross-border response.
By Sarah Gooding -  Nov 21, 2025
Product
Introducing Socket Scanning for OpenVSX Extensions
Socket now scans OpenVSX extensions, giving teams early detection of risky behaviors, hidden capabilities, and supply chain threats in developer tools.
By Mix Irving, Ryan Eberhardt -  Nov 20, 2025