Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lintliot.com/llms.txt

Use this file to discover all available pages before exploring further.

The LintLiot SDK ships two CLI commands you can run with npx — no global install required. Use lintliot init to connect your project and auto-insert middleware, and lintliot-scan to scan your codebase for hardcoded secrets, insecure patterns, and infrastructure misconfigurations.

Commands

The @lintliot/sdk package exposes two binaries:
BinaryInvocationPurpose
lintliotnpx lintliot initProject setup and middleware insertion
lintliot-scannpx lintliot-scanStatic security scanning

npx lintliot init

lintliot init wires LintLiot into your project in roughly 60 seconds. It:
  1. Detects your framework by reading package.json dependencies. It recognizes Next.js, Express, Fastify, Koa, Hono, and Elysia.
  2. Detects your auth provider (Clerk, NextAuth, Auth0, Supabase Auth) and database (Supabase, Prisma, Drizzle, MongoDB, PostgreSQL).
  3. Provisions an API key by authenticating with your LintLiot account. The key is written to .env.local as LINTLIOT_API_KEY.
  4. Creates middleware for your detected framework:
    • Next.js — creates middleware.ts (or src/middleware.ts) that runs on every /api/* request via the Edge Runtime.
    • Express / Hono — prints the app.use(lintliot.protect()) snippet to add before your routes.
  5. Adds a security:scan script to package.json pointing at lintliot-scan.
npx lintliot init
If middleware.ts already exists, init will not overwrite it. Instead it prints the manual snippet to add to your existing file.
After running init, set LINTLIOT_API_KEY in any environment where you deploy your app (Vercel, Railway, Fly.io, etc.). The key written to .env.local is for local development only.

npx lintliot-scan

lintliot-scan is a static security scanner that looks for hardcoded secrets, infrastructure misconfigurations, and insecure code patterns across your entire codebase. It covers 40+ secret patterns (API keys, tokens, private keys), IaC files (Terraform, Docker, Kubernetes, GitHub Actions), and common code vulnerabilities. 
npx lintliot-scan [options]

Flags

--path
string
default:"./src"
Directory to scan. Accepts any path relative to the working directory.
npx lintliot-scan --path ./
--severity
string
default:"low"
Minimum severity level to report. Findings below this threshold are omitted from output. Accepted values: critical, high, medium, low.
npx lintliot-scan --severity high
--format
string
default:"pretty"
Output format. Accepted values:
  • pretty — human-readable terminal output with colors and icons
  • json — machine-readable JSON object with a findings array
  • sarif — SARIF 2.1.0 for GitHub Code Scanning and IDE integrations
npx lintliot-scan --format sarif > results.sarif
--exclude
string
Comma-separated list of path fragments to skip. Useful for vendored code or generated files.
npx lintliot-scan --exclude "fixtures,generated,vendor"
--no-tests
boolean
When set, skips files matching test path patterns (*.test.ts, *.spec.ts, __tests__/, etc.). Some rules (hardcoded passwords, eval()) are already suppressed in test files by default.
npx lintliot-scan --no-tests

Exit codes

CodeMeaning
0No findings at or above the minimum severity level
1One or more CRITICAL findings detected
lintliot-scan exits with code 1 whenever it finds a CRITICAL finding, regardless of the --severity filter. This is intentional — critical findings always block CI.

Detection categories

CategoryExamples
secretAWS keys, Stripe secret keys, GitHub tokens, OpenAI/Anthropic keys, Supabase service role keys, JWT secrets, RSA/EC private keys, database connection strings
iacTerraform hardcoded credentials, Docker ARG secrets, Kubernetes stringData secrets, GitHub Actions hardcoded env values
codeeval(), dangerouslySetInnerHTML, unparameterized SQL, Math.random() for tokens, MD5/SHA1 for security, disabled SSL verification, exec() with user input

GitHub Actions integration

Add a security scan step to your CI workflow so findings are caught before code reaches production. Use --format sarif to push results directly to GitHub Code Scanning. 
name: Security scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npx lintliot-scan --path ./ --severity high
For monorepos, run lintliot-scan from the repo root with --path ./ rather than per-package. The scanner already skips node_modules, .next, dist, build, and other generated directories automatically.

JSON output format

When using --format json, the scanner outputs a single object: 
{
  "findings": [
    {
      "file": "/home/user/project/src/config.ts",
      "line": 14,
      "column": 1,
      "ruleId": "SEC003",
      "severity": "critical",
      "category": "secret",
      "name": "Stripe Secret Key",
      "description": "Stripe Secret Key detected",
      "match": "sk_liv••••3f2a",
      "fix": "Use STRIPE_SECRET_KEY environment variable"
    }
  ],
  "duration": 312,
  "total": 1
}
Secret values in the match field are always masked — only the first 6 and last 4 characters are shown.