Usage and Output Formats

June 7, 2026 · View on GitHub

This document describes how to configure procscope and the various output formats it provides.

Configuration & Flags

FlagShortDescriptionDefault
--pid-pAttach to existing PID
--name-nAttach by process name
--out-oEvidence bundle directory
--jsonlJSONL output file
--summaryMarkdown summary file
--no-colorDisable ANSI colorsfalse
--quiet-qSuppress live timelinefalse
--max-argsMax argv elements64
--max-pathMax path string length4096
--skip-checksSkip privilege checksfalse

Output Formats

Live Timeline

Compact, color-coded terminal output during investigation:

TIME         PID   COMM            EVENT              DETAILS
[+    0ms]   1234  suspicious      process.exec       /tmp/suspicious-binary
[+   12ms]   1234  suspicious      file.open          /etc/passwd [read]
[+   15ms]   1234  suspicious      net.connect        ipv4 → 93.184.216.34:443
[+   18ms] ! 1234  suspicious      priv.setuid        uid 1000 → 0
[+   20ms]   1235  sh              process.exec       /bin/sh
[+   25ms]   1235  sh              process.exit        exit_code=0
[+   30ms]   1234  suspicious      process.exit        exit_code=0

JSONL Event Stream

Machine-readable, one event per line:

procscope --jsonl events.jsonl -- ./command

Evidence Bundle

Structured directory for incident response:

case-001/
├── metadata.json       # Investigation metadata
├── events.jsonl        # Complete event stream
├── process-tree.txt    # Human-readable process tree
├── files.json          # File activity summary
├── network.json        # Network activity summary
├── notable.json        # Security-relevant events
└── summary.md          # Markdown executive summary

Markdown Summary

Team-ready report with overview, process tree, event breakdown, file/network activity tables, notable events, and honest limitations.