Commands

Basic Syntax


inkog [OPTIONS] [PATH]

The PATH argument specifies the file or directory to scan. Defaults to the current directory (.).

Flags

Flag	Type	Default	Description
`-server`	string	`https://api.inkog.io`	Inkog server URL
`-output`	string	`text`	Output format: `json`, `text`, `html`, `sarif`
`-policy`	string	`balanced`	Security policy: `low-noise`, `balanced`, `comprehensive`, `governance`, `eu-ai-act`
`-severity`	string	`low`	Minimum severity: `critical`, `high`, `medium`, `low`
`-diff`	boolean	`false`	Show only new findings since baseline (for CI/CD)
`-baseline`	string	`.inkog-baseline.json`	Path to baseline file
`-update-baseline`	boolean	`false`	Update the baseline after scanning
`-verbose`	boolean	`false`	Enable detailed debug output
`-version`	boolean	`false`	Show version and exit
`-help`	boolean	`false`	Show help message

Both syntax styles work: inkog ./src (positional) or inkog -path ./src (flag). Use whichever you prefer.

Examples

Basic Scan


# Scan current directory
inkog .
 
# Scan specific directory
inkog ./src/agents
 
# Scan single file
inkog ./agent.py

Output Formats


# JSON output (for CI/CD)
inkog -output json .
 
# HTML report
inkog -output html . > report.html
 
# Text output (default)
inkog -output text .

Severity Filtering


# Only critical and high findings
inkog -severity high .
 
# Only critical findings
inkog -severity critical .
 
# All findings (default)
inkog -severity low .

Debug Mode


# Verbose output for debugging
inkog -verbose .

Custom Server


# Use self-hosted server
inkog -server https://inkog.internal.company.com .

CI/CD Diff Mode

Diff mode is designed for CI/CD pipelines. It compares current scan results against a stored baseline, showing only new or fixed findings. This enables:

Fail only on new issues: Don’t break existing PRs due to pre-existing problems
Track security improvements: See when vulnerabilities are fixed
Reduce noise: Focus developer attention on changes they introduced


# First, create a baseline on your main branch
inkog -update-baseline .
 
# Then in PRs, show only new findings
inkog -diff .

GitHub Actions Example:


name: Security Scan
on: [pull_request]
 
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Download baseline
        run: |
          git fetch origin main
          git show origin/main:.inkog-baseline.json > .inkog-baseline.json || true
 
      - name: Run security scan
        run: |
          inkog -diff -output sarif . > results.sarif
 
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

Diff Output (JSON):


{
  "summary": {
    "total_new": 2,
    "total_fixed": 1,
    "total_unchanged": 15,
    "new_by_severity": { "CRITICAL": 1, "HIGH": 1 },
    "fixed_by_severity": { "HIGH": 1 },
    "base_risk_score": 450,
    "head_risk_score": 480,
    "risk_delta": 30
  },
  "new_findings": [],
  "fixed_findings": [],
  "unchanged_findings": []
}

Security Policies


# Low noise - only proven exploitable vulnerabilities
inkog -policy low-noise .
 
# Balanced - vulnerabilities + risk patterns (default)
inkog -policy balanced .
 
# Comprehensive - all findings including best practices
inkog -policy comprehensive .
 
# Governance focused - Article 14, authorization, audit trails
inkog -policy governance .
 
# EU AI Act compliance mode
inkog -policy eu-ai-act .

Exit Codes

Code	Meaning
`0`	Success - No security findings (or no new findings in diff mode)
`1`	Findings detected - New CRITICAL/HIGH findings in diff mode, or any findings in regular mode
`2`	Error - Scan execution failed

Use exit codes for CI/CD pipeline control:


# Fail on any high+ severity findings
inkog -severity high . || exit 1
 
# Diff mode: fail only on new critical/high findings
inkog -diff . || exit 1

In diff mode, exit code 1 is returned only when there are new CRITICAL or HIGH severity findings. This means your pipeline will pass if:

There are no new findings
New findings are only MEDIUM or LOW severity
Findings were fixed (security improvement)

Supported File Types

Inkog scans the following file types:

Code:

Python (.py)
JavaScript (.js)
TypeScript (.ts, .tsx)
Go (.go)
Java (.java)
Ruby (.rb)
PHP (.php)
C# (.cs)
Rust (.rs)

Configuration:

YAML (.yaml, .yml)
JSON (.json)
Environment files (.env)
Config files (.conf, .cfg)

Skipped Files

The following are automatically skipped:

Build/Dependencies:

node_modules/
vendor/
.git/
__pycache__/
.venv/, venv/
dist/, build/
.next/, .nuxt/

Package Files:

package.json, package-lock.json
yarn.lock, pnpm-lock.yaml
go.mod, go.sum
Cargo.toml, Cargo.lock
Gemfile, Gemfile.lock

Config Files:

.eslintrc, .prettierrc
babel.config.json
webpack.config.js
jest.config.js

Troubleshooting

API Key Required

All scans require an API key. If you see an authentication error:


# Set your API key
export INKOG_API_KEY=sk_live_your_key_here
 
# Then run your scan
inkog ./src

Get your free API key at app.inkog.io .

Rate Limits

The API is rate-limited to 5 requests per minute. If you exceed this limit, you’ll see a 429 Too Many Requests error. Wait a moment and retry.

Timeout Errors

Large codebases may take longer to analyze. If you encounter timeout errors:

Scan specific subdirectories instead of the entire repo
Use severity filtering: inkog -severity high ./src