CLI reference

June 25, 2026 · View on GitHub

keyhog scan [PATH]

The main subcommand. Scans PATH (default: current directory) and emits findings. Exit code: 0 clean, 1 findings present, 2 user error, 3 system error, 10 live credential, 11 scanner panic, 12 required GPU unavailable, 13 requested source failed or coverage incomplete.

Input selection

FlagEffect
<PATH>Positional path. File or directory.
--stdinRead from stdin instead. Default 10 MiB cap; tune with --limit-stdin-bytes.
--exclude-paths <GLOB>...Skip files matching glob. Space-separated list, repeatable.
--git-stagedScan git-staged files only (pre-commit mode).
--git-history <PATH>Walk commits added-line patches (default: HEAD only).
--git-diff <BASE_REF>Scan only added lines since BASE_REF.
--docker-image <IMAGE>Scan a saved Docker image archive.
--github-org <ORG>Clone and scan every repository in a GitHub organization. Requires --github-token.
--gitlab-group <GROUP>Clone and scan every project in a GitLab group, including subgroups. Requires --gitlab-token; use --gitlab-endpoint for self-managed GitLab.
--bitbucket-workspace <WORKSPACE>Clone and scan every repository in a Bitbucket Cloud workspace. Requires --bitbucket-username and --bitbucket-token app password.
--s3-bucket <BUCKET>Scan an S3 bucket. Use --s3-prefix to narrow.
--gcs-bucket <BUCKET>Scan a Google Cloud Storage bucket. Use --gcs-prefix to narrow.
--azure-container-url <URL>Scan an Azure Blob container URL. Include a SAS query string for private containers; use --azure-prefix to narrow.
--url <URL>...Fetch + scan one or more HTTPS URLs (JS/source-map/WASM/text).

Output

FlagEffect
--format <text|json|jsonl|sarif|csv|github-annotations|gitlab-sast|html|junit>Output format. Default text. The machine formats (json/jsonl/sarif/csv/github-annotations/gitlab-sast/junit) are findings-only: the banner/summary go to stderr (or are omitted), so stdout stays a clean parseable artifact.
--output <FILE>Write the report to FILE instead of stdout.
--streamStream a one-line redacted preview per finding to stderr as they're found; the full formatted report still lands on stdout/--output after verification.
--show-secretsShow full credentials. Default redacts.
--min-confidence <FLOAT>Only emit findings >= confidence. 0.0..=1.0.
--dogfoodSurface suppression telemetry in output.

Verification

FlagEffect
--verifyCall each detector's verify endpoint.
--proxy <URL>Route verifier traffic through a proxy (http://burp:8080, socks5://...). off disables all proxying.
--insecureSkip TLS cert verification on verifier traffic (don't use outside a lab).

Performance

FlagEffect
--fastSkip entropy + ML scorer. ~50% faster, ~20% fewer detectors.
--daemonForce daemon route for eligible stdin/single-file scans. Unix only; fails if the request needs the in-process pipeline.
--no-daemonForce in-process scan even if daemon is up.
--timeout <SECONDS>Hard per-scan deadline.
--profileEmit the scanner-owned hierarchical profile report to stderr at scan end.
--perf-traceEmit low-level scan/GPU phase timing traces to stderr.

Source Limits

Every limit below also has a [limits] key in .keyhog.toml with the same name minus the limit- prefix and with dashes changed to underscores.

FlagEffect
--limit-stdin-bytes <SIZE>Maximum bytes read from --stdin.
--limit-web-response-bytes <SIZE>Maximum bytes fetched for one --url response.
--limit-s3-object-bytes <SIZE> / --limit-gcs-object-bytes <SIZE> / --limit-azure-blob-bytes <SIZE>Maximum bytes downloaded for one cloud object/blob.
--limit-docker-tar-entry-bytes <SIZE> / --limit-docker-image-config-bytes <SIZE> / --limit-docker-tar-total-bytes <SIZE>Docker/OCI archive and manifest/config ceilings.
--limit-git-line-bytes <SIZE> / --limit-git-total-bytes <SIZE> / --limit-git-blob-bytes <SIZE> / --limit-git-chunks <N>Git stdout-line, aggregate, per-blob, and chunk-count ceilings.
--limit-binary-read-bytes <SIZE> / --limit-binary-decompiled-bytes <SIZE>Binary strings and Ghidra output ceilings.

Detector tuning

FlagEffect
--detectors <DIR>Use the detector TOMLs in DIR instead of the embedded corpus. To run a curated subset, copy the detector TOMLs you want into a directory and point --detectors at it (there is no per-ID enable/disable flag).
--no-suppress-test-fixturesShow findings on bundled example credentials.
--baseline <FILE>Compare against a prior scan; show only new.
--hide-client-safeDrop every CLIENT-SAFE finding (Sentry DSN, Stripe pk_*, Mapbox pk., PostHog phc_, etc.) before reporting. Use this for bug-bounty / exfiltration-impact workflows where keys public by design are noise.

Scan controls

ControlEffect
keyhog scan --backend auto|gpu|gpu-region-presence|mega-scan|megascan|gpu-mega-scan|simd|simd-regex|cpu|cpu-fallbackForce a scan backend instead of using automatic backend selection.
keyhog scan --no-gpuShort-circuit GPU init at hardware-probe time. The scanner runs as if no GPU adapter existed.
keyhog scan --require-gpuFail closed with exit 12 when no usable GPU stack is available.
keyhog scan --autoroute-calibrateInstaller/maintenance mode: benchmark parity-checked autoroute candidates and persist fastest-correct decisions. Normal scans do not use this mode.
keyhog scan --autoroute-gpuAllow calibration mode to include GPU candidates for eligible workload buckets. Normal scans still require persisted fastest-correct evidence.
keyhog scan --no-autoroute-gpuOverride TOML autoroute_gpu = true for a single run.
keyhog scan --per-chunk-timeout-ms <MS>Attach an Instant deadline to every chunk scan. Default unset = no operator deadline; [scan].per_chunk_timeout_ms provides the persistent default.
keyhog scan --threads <N>Pin the rayon worker count for this run. .keyhog.toml [scan].threads provides the persistent default.
keyhog scan --reader-threads <N>Pin dedicated filesystem reader threads. .keyhog.toml [scan].reader_threads provides the persistent default.
keyhog scan --fused-batch <N>Pin fused filesystem pipeline batch size. .keyhog.toml [scan].fused_batch provides the persistent default.
keyhog scan --fused-depth <N>Pin fused filesystem pipeline channel depth. .keyhog.toml [scan].fused_depth provides the persistent default.

Hyperscan database cache location is explicit scan configuration: use keyhog scan --cache-dir <DIR> or .keyhog.toml [system].cache_dir. Autoroute calibration evidence is also explicit scan configuration: use keyhog scan --autoroute-cache <PATH|off> or .keyhog.toml [system].autoroute_cache. GPU MoE readback timeout is explicit scanner tuning: .keyhog.toml [tuning].gpu_moe_timeout_ms. GPU region-presence parity/debug recall-floor runs use .keyhog.toml [tuning].gpu_recall_floor = true.

keyhog config --effective [SCAN FLAGS]

Prints the resolved scan configuration and exits without scanning. This is the operator-visible way to prove what the scanner would run after compiled defaults, .keyhog.toml, and CLI overrides are merged.

config --effective accepts the same config-affecting flags as scan, including --config, --fast, --deep, --precision, source limits, detector paths, confidence floors, and the positional path shorthand.

keyhog config --effective
keyhog config --effective --config .keyhog.toml --precision .
keyhog config --effective --limit-stdin-bytes 32MB --no-ml

keyhog detectors

Lists every detector in the embedded corpus.

keyhog detectors                  # human-readable, grouped by service
keyhog detectors --json           # one JSON object per detector
keyhog detectors --json | jq length
902

keyhog explain <DETECTOR_ID>

Pretty-print a single detector's TOML. Includes keywords, patterns, companion rules, and verification endpoint.

keyhog explain stripe-secret-key

keyhog watch [PATH]

Daemon-mode subcommand that watches a directory for file changes and re-scans on each one. Useful for IDE-side feedback. Unix only.

keyhog watch src/                 # watch the source tree
keyhog watch                      # watch the current directory

keyhog hook <install|uninstall>

Manages the git pre-commit hook. See Pre-commit hook for usage.

keyhog daemon <start|stop|status> (Unix only)

The daemon holds the compiled scanner in memory so IDE-save handlers and stdin/single-file hook invocations skip the ~3 s cold start.

The daemon route is scanner-only for eligible stdin or single regular file scans. Results are pre-baseline, pre-Merkle-skip-cache, and pre-verification. Directory, git, remote, baseline, --verify, backend/GPU/autoroute, and policy-changing scans run through the in-process pipeline; --daemon=on exits with an error when that exact daemon route cannot be honored.

SubcommandEffect
daemon startBind the Unix socket, accept connections.
daemon stopTell the running daemon to shut down.
daemon statusPrint uptime, scans served, active scans, and scan scope.

daemon start --request-timeout-secs <N> sets how long one client connection may sit without completing a request frame before the daemon closes it and reclaims the connection slot. Default: 300.

Default socket path: $XDG_RUNTIME_DIR/keyhog.sock, or ~/.cache/keyhog/server.sock if XDG_RUNTIME_DIR is unset.

On Windows: every daemon subcommand prints "daemon mode is unix-only" and exits non-zero. No Windows daemon transport ships; use keyhog scan <path> for in-process scans on Windows.

keyhog diff <FILE_A> <FILE_B>

Compare two scan outputs (JSON or NDJSON). Useful for "did this PR introduce a new finding?" gating in CI.

keyhog scan . --format json > baseline.json
git checkout pr-branch
keyhog scan . --format json > pr.json
keyhog diff baseline.json pr.json

keyhog calibrate

Show or update the per-detector Bayesian (Beta-α/β) calibration counters. Used to teach the scorer that detector X has produced N true positives and M false positives in your environment. Scans use the counters only when --calibration-cache <PATH> or [system].calibration_cache explicitly points at the file.

keyhog calibrate --show                       # print current counters
keyhog calibrate --tp stripe-secret-key       # record one TP
keyhog calibrate --fp generic-api-key         # record one FP

Pass --cache <PATH> to point at a non-default counter file (the default lives under the platform cache directory, normally $XDG_CACHE_HOME/keyhog/calibration.json). Existing corrupted or schema-incompatible cache files fail closed and are not overwritten.

keyhog backend

Prints hardware probe results: which SIMD ISA was detected, whether Hyperscan / CUDA / wgpu backends initialized, the per-tier GPU thresholds in effect.

keyhog backend

keyhog scan-system

Recursive system-wide credential audit. Walks every mounted drive (skipping pseudo-filesystems and, by default, network mounts), discovers every .git repository on the way, and runs the same scan + git-history pipeline that keyhog scan --git-history uses on each. Honors a hard --space <N> ceiling on total bytes scanned so it cannot accidentally exhaust a CI runner. Does NOT honor .gitignore unless --respect-gitignore is passed (an attacker stashing leaked keys would .gitignore them).

keyhog scan-system                                  # local mounts, git history on
keyhog scan-system --include-network                # also walk NFS/SMB/sshfs
keyhog scan-system --space 50G --no-git-history     # cap + skip history walks
keyhog scan-system --lockdown                       # forbids --include-network

keyhog completion <bash|zsh|fish|powershell>

Emits a shell-completion script. Pipe into the shell's completion location.

keyhog completion bash > /etc/bash_completion.d/keyhog
keyhog completion zsh > "${fpath[1]}/_keyhog"
keyhog completion fish > ~/.config/fish/completions/keyhog.fish
keyhog completion powershell >> $PROFILE

Global flags

These work on any subcommand:

FlagEffect
--versionPrint version + build info, exit.
--fullWith --version, include the hardware probe.
--helpPrint help for the current subcommand.
--verboseMore log output to stderr.
--no-colorDisable ANSI colors. Auto-detects TTY otherwise.