security
Scan code for secrets and vulnerabilities, analyze content risks, preview redactions, and automatically fix detected security issues in local projects.
Instructions
Security actions: scan, risk, redact, fix. scan may return coverage guidance for narrow scope; use recommended include globs and includeHidden=true.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Action: scan (find secrets/vulnerabilities), risk (analyze content risk), redact (preview redaction), fix (auto-fix detected secrets) | |
| root | No | Root directory to scan (action=scan|fix). Must be a directory; use workspace/search to discover valid roots. | |
| scanType | No | Type of scan (for action=scan|fix) | |
| outputFormat | No | Output format (for action=scan) | |
| include | No | Glob patterns to include (e.g., ["**/*.ts","**/*.py"]). If omitted, scan auto-detects project type and applies defaults. | |
| exclude | No | File patterns to exclude from scan (e.g., ["*_test.py", "*.spec.ts"]). Applied after include filter. | |
| skipTests | No | Skip test directories (tests/, test/, __tests__/, spec/) to reduce noise. Default: true | |
| includeHidden | No | Include hidden files/directories (default: false). By default, hidden files and common noise dirs (node_modules, venv, .git) are skipped. Set true to scan hidden files like .env, .secret. | |
| failOnEmpty | No | Fail when zero files are scanned. Default: true in CI, false in local runs. | |
| apply | No | Apply fixes immediately (for action=fix, default: false) | |
| content | No | Content to analyze/redact (for action=risk|redact) | |
| context | No | Content context type (for action=risk) | |
| strictMode | No | Strict mode for risk analysis (for action=risk) | |
| showContext | No | Show context around redacted content (for action=redact) | |
| contextLines | No | Number of context lines to show (for action=redact) | |
| format | No | Output format: compact (paths only), dense (minimal), detailed (full), json (raw) |