Skip to content

CLI Reference

These flags work with all commands:

FlagDescription
--configPath to config file (default: .redactyl.yml)
--verboseEnable verbose output
--debugEnable debug logging
--no-colorDisable colored output
--helpShow help
--versionShow version

Scan for secrets in files, archives, and containers.

Terminal window
redactyl scan [flags] [paths...]
FlagDescription
--jsonOutput findings as JSON
--sarifOutput findings as SARIF
--textOutput findings as plain text
--no-tuiDisable interactive TUI
--guideInclude remediation guidance
FlagDescription
--stagedScan only staged changes
--history NScan last N commits
--base BRANCHScan diff against base branch
--exclude PATTERNExclude paths matching pattern
FlagDescription
--archivesScan archive files (zip, tar, tgz)
--containersScan container images
--helmScan Helm charts
--k8sScan Kubernetes manifests
--deepEnable all deep scanning
--image IMAGEScan specific container image
FlagDescription
--severity LEVELMinimum severity (low, medium, high, critical)
--detector NAMEFilter by detector name
--baseline FILEUse baseline file
Terminal window
# Basic scan
redactyl scan
# Scan with JSON output
redactyl scan --json > findings.json
# Scan staged changes only
redactyl scan --staged
# Deep scan everything
redactyl scan --deep
# Scan remote container image
redactyl scan --image gcr.io/myproject/myapp:latest
# CI/CD mode with SARIF output
redactyl scan --no-tui --sarif > redactyl.sarif.json

Manage the baseline of known/accepted findings.

Terminal window
redactyl baseline [command]
CommandDescription
listList baselined findings
addAdd finding to baseline
removeRemove finding from baseline
clearClear all baselined findings
Terminal window
# List baselined findings
redactyl baseline list
# Add by fingerprint
redactyl baseline add --fingerprint abc123
# Remove from baseline
redactyl baseline remove --fingerprint abc123
# Clear baseline
redactyl baseline clear

Redact secrets from files.

Terminal window
redactyl redact [flags] [files...]
FlagDescription
--dry-runShow what would be redacted
--backupCreate backup before redacting
--pattern PATTERNCustom redaction pattern
--replacement TEXTReplacement text (default: [REDACTED])
Terminal window
# Preview redactions
redactyl redact --dry-run .env
# Redact with backup
redactyl redact --backup config.yaml
# Custom replacement
redactyl redact --replacement "***" secrets.json

Manage .env file secrets.

Terminal window
redactyl dotenv [command]
CommandDescription
scanScan .env files
rotateRotate secrets in .env
exportExport to secret manager
Terminal window
# Scan all .env files
redactyl dotenv scan
# Rotate a specific key
redactyl dotenv rotate --key API_KEY
# Export to AWS Secrets Manager
redactyl dotenv export --to aws-secrets-manager

Rewrite git history to remove secrets.

Terminal window
redactyl history [command]
CommandDescription
scanScan git history
cleanRemove secrets from history
verifyVerify history is clean
FlagDescription
--backupCreate backup refs
--forceSkip confirmation prompts
--dry-runShow what would change
Terminal window
# Scan full history
redactyl history scan
# Clean with backup
redactyl history clean --backup
# Verify clean
redactyl history verify

Manage configuration.

Terminal window
redactyl config [command]
CommandDescription
initCreate default config file
validateValidate config file
showShow effective config
Terminal window
# Create config file
redactyl config init
# Validate config
redactyl config validate
# Show effective config
redactyl config show
CodeMeaning
0Success, no findings
1Findings detected
2Error during scan
3Configuration error