CLI Reference
Complete command and flag reference for Redactyl
These flags work with all commands:
| Flag | Description |
|---|
--config | Path to config file (default: .redactyl.yml) |
--verbose | Enable verbose output |
--debug | Enable debug logging |
--no-color | Disable colored output |
--help | Show help |
--version | Show version |
Scan for secrets in files, archives, and containers.
redactyl scan [flags] [paths...]
| Flag | Description |
|---|
--json | Output findings as JSON |
--sarif | Output findings as SARIF |
--text | Output findings as plain text |
--no-tui | Disable interactive TUI |
--guide | Include remediation guidance |
| Flag | Description |
|---|
--staged | Scan only staged changes |
--history N | Scan last N commits |
--base BRANCH | Scan diff against base branch |
--exclude PATTERN | Exclude paths matching pattern |
| Flag | Description |
|---|
--archives | Scan archive files (zip, tar, tgz) |
--containers | Scan container images |
--helm | Scan Helm charts |
--k8s | Scan Kubernetes manifests |
--deep | Enable all deep scanning |
--image IMAGE | Scan specific container image |
| Flag | Description |
|---|
--severity LEVEL | Minimum severity (low, medium, high, critical) |
--detector NAME | Filter by detector name |
--baseline FILE | Use baseline file |
# Basic scan
redactyl scan
# Scan with JSON output
redactyl scan --json > findings.json
# Scan staged changes only
redactyl scan --staged
# Deep scan everything
redactyl scan --deep
# Scan remote container image
redactyl scan --image gcr.io/myproject/myapp:latest
# CI/CD mode with SARIF output
redactyl scan --no-tui --sarif > redactyl.sarif.json
Manage the baseline of known/accepted findings.
redactyl baseline [command]
| Command | Description |
|---|
list | List baselined findings |
add | Add finding to baseline |
remove | Remove finding from baseline |
clear | Clear all baselined findings |
# List baselined findings
redactyl baseline list
# Add by fingerprint
redactyl baseline add --fingerprint abc123
# Remove from baseline
redactyl baseline remove --fingerprint abc123
# Clear baseline
redactyl baseline clear
Redact secrets from files.
redactyl redact [flags] [files...]
| Flag | Description |
|---|
--dry-run | Show what would be redacted |
--backup | Create backup before redacting |
--pattern PATTERN | Custom redaction pattern |
--replacement TEXT | Replacement text (default: [REDACTED]) |
# Preview redactions
redactyl redact --dry-run .env
# Redact with backup
redactyl redact --backup config.yaml
# Custom replacement
redactyl redact --replacement "***" secrets.json
Manage .env file secrets.
redactyl dotenv [command]
| Command | Description |
|---|
scan | Scan .env files |
rotate | Rotate secrets in .env |
export | Export to secret manager |
# Scan all .env files
redactyl dotenv scan
# Rotate a specific key
redactyl dotenv rotate --key API_KEY
# Export to AWS Secrets Manager
redactyl dotenv export --to aws-secrets-manager
Rewrite git history to remove secrets.
redactyl history [command]
| Command | Description |
|---|
scan | Scan git history |
clean | Remove secrets from history |
verify | Verify history is clean |
| Flag | Description |
|---|
--backup | Create backup refs |
--force | Skip confirmation prompts |
--dry-run | Show what would change |
# Scan full history
redactyl history scan
# Clean with backup
redactyl history clean --backup
# Verify clean
redactyl history verify
Manage configuration.
redactyl config [command]
| Command | Description |
|---|
init | Create default config file |
validate | Validate config file |
show | Show effective config |
# Create config file
redactyl config init
# Validate config
redactyl config validate
# Show effective config
redactyl config show
| Code | Meaning |
|---|
| 0 | Success, no findings |
| 1 | Findings detected |
| 2 | Error during scan |
| 3 | Configuration error |