This page covers scan-only CLI usage (no WebUI) plus common Docker workflows. All examples are single-shot runs that exit after the scan finishes.
From the repository root, use ./run-scanner.sh — it sets SCAN_TYPE, TARGET_TYPE, COLLECT_METADATA, SCAN_PROFILE (quick / standard / deep), and mounts for you:
chmod +x ./run-scanner.sh
./run-scanner.sh --help
./run-scanner.sh -p quick /path/to/project
./run-scanner.sh -p deep https://example.com
./run-scanner.sh network
./run-scanner.sh --type image nginx:alpine
./run-scanner.sh --git https://github.com/org/repo.git
./run-scanner.sh --orchestrator-help # env vars inside the containerResults go to ./results/<scan_id>/ by default (override with -o).
Tip: When using Docker Compose, the OWASP Dependency-Check cache is mounted automatically.
In the full docker-compose.yml, the scanner service sets command: ["sleep", "infinity"] so a container can stay up for debugging. One-off scans must pass the orchestrator explicitly:
scanner python3 -m scanner.core.orchestrator
The orchestrator only starts a scan if SCAN_ID or SCAN_TARGET is set (see scanner/core/orchestrator.py).
Use this when you want to run one scan and exit. It uses the scanner service image with the command above.
Full stack compose mounts the repo at /project. Scan that path:
docker compose run --rm \
-e SCAN_TYPE=code \
-e TARGET_TYPE=local_mount \
-e SCAN_TARGET=/project \
-e TARGET_PATH_IN_CONTAINER=/project \
-e COLLECT_METADATA=true \
scanner python3 -m scanner.core.orchestratordocker compose run --rm \
-v /path/to/project:/target:ro \
-e SCAN_TYPE=code \
-e TARGET_TYPE=local_mount \
-e SCAN_TARGET=/target \
-e COLLECT_METADATA=true \
scanner python3 -m scanner.core.orchestratorClone and scan a remote repo (set SCAN_TARGET to the clone URL; optional GIT_BRANCH):
docker compose run --rm \
-e SCAN_TYPE=code \
-e TARGET_TYPE=git_repo \
-e SCAN_TARGET=https://github.com/user/repo.git \
-e GIT_BRANCH=main \
-e COLLECT_METADATA=true \
scanner python3 -m scanner.core.orchestratordocker compose run --rm \
-e SCAN_TYPE=website \
-e TARGET_TYPE=website \
-e SCAN_TARGET=https://example.com \
-e COLLECT_METADATA=true \
scanner python3 -m scanner.core.orchestratordocker compose run --rm \
-e SCAN_TYPE=image \
-e TARGET_TYPE=container_registry \
-e SCAN_TARGET=nginx:latest \
-e COLLECT_METADATA=true \
-v /var/run/docker.sock:/var/run/docker.sock \
scanner python3 -m scanner.core.orchestratordocker compose run --rm \
-e SCAN_TYPE=image \
-e TARGET_TYPE=container_registry \
-e SCAN_TARGET=local-image:latest \
-e COLLECT_METADATA=true \
-v /var/run/docker.sock:/var/run/docker.sock \
scanner python3 -m scanner.core.orchestratorSCAN_ID or SCAN_TARGET must be set so the orchestrator starts (here: explicit SCAN_ID):
docker compose run --rm \
-e SCAN_ID=cli-network \
-e SCAN_TYPE=network \
-e TARGET_TYPE=network_host \
-e COLLECT_METADATA=true \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
scanner python3 -m scanner.core.orchestratorStart the WebUI (nginx) + worker (scanner discovery/asset updates run in the worker):
docker compose up --buildOpen http://localhost:80 and start a scan from the UI (nginx → backend API).
Use the published image without Compose.
docker run --rm \
-v /path/to/project:/target:ro \
-v $(pwd)/results:/app/results \
-v $(pwd)/scanner/plugins/owasp/data:/app/scanner/plugins/owasp/data \
-e SCAN_TYPE=code \
-e TARGET_TYPE=local_mount \
-e COLLECT_METADATA=true \
fr4iser/simpleseccheck:latest \
python3 -m scanner.core.orchestratorSame entrypoint as above; no source mount—SCAN_TARGET is the repo URL:
docker run --rm \
-v $(pwd)/results:/app/results \
-e SCAN_TYPE=code \
-e TARGET_TYPE=git_repo \
-e SCAN_TARGET=https://github.com/user/repo.git \
-e GIT_BRANCH=main \
-e COLLECT_METADATA=true \
fr4iser/simpleseccheck:latest \
python3 -m scanner.core.orchestratorReplace fr4iser/simpleseccheck:latest with your local tag (e.g. simpleseccheck-scanner:local) when built from this repo.
docker run --rm \
-e SCAN_TYPE=website \
-e TARGET_TYPE=website \
-e SCAN_TARGET=https://example.com \
-e COLLECT_METADATA=true \
-v $(pwd)/results:/app/results \
fr4iser/simpleseccheck:latest \
python3 -m scanner.core.orchestratordocker run --rm \
-e SCAN_TYPE=image \
-e TARGET_TYPE=container_registry \
-e SCAN_TARGET=nginx:latest \
-e COLLECT_METADATA=true \
-v $(pwd)/results:/app/results \
-v /var/run/docker.sock:/var/run/docker.sock \
fr4iser/simpleseccheck:latest \
python3 -m scanner.core.orchestratordocker run --rm \
-e SCAN_ID=cli-network \
-e SCAN_TYPE=network \
-e TARGET_TYPE=network_host \
-e COLLECT_METADATA=true \
-v $(pwd)/results:/app/results \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
fr4iser/simpleseccheck:latest \
python3 -m scanner.core.orchestratorTARGET_TYPE:local_mount(default),git_repo,uploaded_code,website,container_registry,network_hostSCAN_TARGET: Local path is implicit forlocal_mount(/targetin the container); forgit_repouse the HTTPS/SSH clone URL; forwebsite/container_registryuse URL or image ref as documented aboveGIT_BRANCH: branch to clone (optional,git_repoonly)SCAN_TYPE: e.g.code,website,image—must match the scan mode (orchestrator validates)COLLECT_METADATA:true/false—required for standalone runs (seescanner/core/orchestrator.py)SCAN_SCOPE:full(default) ortracked(git-tracked files only)SIMPLESECCHECK_EXCLUDE_PATHS: comma-separated exclude list for code scans
Full target list and copy-paste docker run examples are also printed by:
docker run --rm fr4iser/simpleseccheck:latest python3 -m scanner.core.helpFor architecture and adding plugins, see scanner/README.md.
Results are written to results/<target>_<timestamp>/ and include:
security-summary.html(main report)scan.log- Tool-specific JSON/XML outputs