You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|`cycode_secret_scan`| Scan files for hardcoded secrets |
388
-
|`cycode_sca_scan`| Scan files for Software Composition Analysis (SCA) - vulnerabilities and license issues |
389
-
|`cycode_iac_scan`| Scan files for Infrastructure as Code (IaC) misconfigurations |
390
-
|`cycode_sast_scan`| Scan files for Static Application Security Testing (SAST) - code quality and security flaws |
388
+
|`cycode_secret_scan`| Scan for hardcoded secrets|
389
+
|`cycode_sca_scan`| Scan for Software Composition Analysis (SCA) - vulnerabilities and license issues|
390
+
|`cycode_iac_scan`| Scan for Infrastructure as Code (IaC) misconfigurations|
391
+
|`cycode_sast_scan`| Scan for Static Application Security Testing (SAST) - code quality and security flaws|
391
392
|`cycode_status`| Get Cycode CLI version, authentication status, and configuration information |
392
393
394
+
Each scan tool accepts two mutually exclusive input modes:
395
+
396
+
- **`paths`***(preferred)* — one or more file or directory paths that exist on disk. Directories are scanned recursively. The Cycode engine handles file discovery and filtering, just as `cycode scan -t <type> path ./src` does from the CLI.
397
+
- **`files`***(fallback)* — a dictionary mapping file paths to their full content as strings. Use this only when the files are not available on disk (e.g. in-memory edits not yet saved).
398
+
399
+
> [!TIP]
400
+
> Use `paths` whenever possible. Passing large files (like `package-lock.json`) as inline content can exceed token limits and slow down the AI client. With `paths`, the Cycode engine reads files directly from disk.
401
+
402
+
All scan tools return a JSON object that includes a `"summary"` field with a human-readable violation count (e.g. `"Cycode found 3 violations: 1 CRITICAL, 2 HIGH."`) in addition to the full `"detections"` array.
> The MCP server requires proper Cycode CLI authentication to function. Make sure you have authenticated using `cycode auth` or configured your credentials before starting the MCP server.
549
560
561
+
### Pre-authorizing Tools for Subagents (Claude Code)
562
+
563
+
When Claude Code delegates work to background subagents (e.g. to run scans in parallel), those subagents cannot display interactive permission prompts. If the Cycode tools have not been pre-approved, scans will fail silently in subagent contexts.
564
+
565
+
To pre-authorize the Cycode MCP tools so they work in all contexts including subagents, add them to the `allowedTools` list in your Claude Code settings (`~/.claude/settings.json`):
566
+
567
+
```json
568
+
{
569
+
"allowedTools": [
570
+
"mcp__cycode__cycode_secret_scan",
571
+
"mcp__cycode__cycode_sca_scan",
572
+
"mcp__cycode__cycode_iac_scan",
573
+
"mcp__cycode__cycode_sast_scan",
574
+
"mcp__cycode__cycode_status"
575
+
]
576
+
}
577
+
```
578
+
579
+
Once added, Claude Code will not prompt for approval when these tools are called, and they will work correctly inside subagents.
580
+
550
581
### Troubleshooting MCP
551
582
552
583
If you encounter issues with the MCP server, you can enable debug logging to get more detailed information about what's happening. There are two ways to enable debug logging:
@@ -590,6 +621,7 @@ The Cycode CLI application offers several types of scans so that you can choose
590
621
|`--monitor`| When specified, the scan results will be recorded in Cycode. |
591
622
|`--cycode-report`| Display a link to the scan report in the Cycode platform in the console output. |
592
623
|`--no-restore`| When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!|
624
+
|`--stop-on-error`| Abort the scan if any file collection or dependency restore failure occurs, instead of skipping the failed file and continuing. |
593
625
|`--gradle-all-sub-projects`| Run gradle restore commandfor all sub projects. This should be run from |
594
626
|`--maven-settings-file`| For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies |
595
627
|`--help`| Show options for given command. |
@@ -696,6 +728,18 @@ If a lockfile already exists alongside the manifest, Cycode reads it directly wi
By default, Cycode continues scanning even if a file cannot be read (e.g. due to a permission error) or a dependency lockfile cannot be generated during an SCA scan. The failed item is skipped with a warning and the scan proceeds with the remaining files.
734
+
735
+
Use `--stop-on-error` to change this behaviour: the scan aborts immediately on the first such failure and reports the error.
This is useful in CI pipelines where a silent failure would produce an incomplete scan result. When `--stop-on-error` is triggered you can either fix the underlying issue or, for SCA restore failures specifically, add `--no-restore` to skip lockfile generation and scan direct dependencies only.
742
+
699
743
### Repository Scan
700
744
701
745
A repository scan examines an entire local repository for any exposed secrets or insecure misconfigurations. This more holistic scan type looks at everything: the current state of your repository and its commit history. It will look not only for secrets that are currently exposed within the repository but previously deleted secrets as well.
0 commit comments