From the repository root:
npm.cmd link --cache .\.npm-cacheAfter linking, the global command is:
sfaIf you run sfa with no arguments, the CLI now prints a built-in quick-start guide instead of a minimal usage block.
If you install the package globally from npm, use this as the first-run path:
npm install -g security-first-aid@latest
sfaThe sfa command is the reliable built-in guide. npm may suppress or reduce post-install script output depending on install mode and client configuration.
PowerShell note:
- If PowerShell prefers a blocked
sfa.ps1shim, runsfa.cmd ...orcmd /c sfa .... - In this workspace, the blocked shim was removed so plain
sfaresolves tosfa.cmd.
sfa scan <target-path> [options]Options:
--format json|markdown|sarif|terminal--baseline <path>--config <path>--severity-threshold low|medium|high|critical--output <path>
Behavior:
- exits
0when no findings meet the effective severity threshold - exits
1when at least one finding meets or exceeds the threshold - uses the repository policy file when present
- writes the rendered report to the requested file when
--outputis supplied
Examples:
sfa scan . --format terminal
sfa scan . --format json --severity-threshold medium
sfa scan . --format sarif --baseline ./.sfa-baseline.json
sfa scan . --format markdown --output ./reports/report.mdsfa baseline create <target-path> [options]Options:
--output <path>--config <path>
Behavior:
- scans the target repository
- ignores any existing baseline suppression
- writes a baseline JSON file containing finding fingerprints
Examples:
sfa baseline create .
sfa baseline create . --output ./.sfa-baseline.jsonsfa rules list [--format json|markdown|terminal]Examples:
sfa rules list
sfa rules list --format jsonUse any of these to print the built-in guide:
sfa
sfa help
sfa --help
sfa -hThe help output includes:
- quick-start commands
- command usage
- examples
- links to the README and npm package page