scan
Scan a repository and emit Semgrep-compatible Finding JSON. Findings print to stdout by default, or to a file with --out; progress and diagnostics go to stderr.
| Argument | Description |
|---|---|
| repo-path | Path to the repository to scan. Must be an existing directory. |
| Flag | Description |
|---|---|
| --out <path> | Write Finding JSON here instead of stdout. |
| --config <path> | YAML config file with defaults; explicit CLI flags take precedence. |
| --scanner <name> | Pick a version: kolega-scan-oss-v1 (default) or kolega-scan-oss-v2. See Versions below. |
| -v, --verbose | Verbose (DEBUG) progress on stderr. |
| -q, --quiet | Only warnings and errors on stderr. |
- V1 runs by default and reads `DEEPSEEK_API_KEY` from the environment; a missing key exits 2 with a clear message.
- The scan command keeps stdout to findings JSON only, so `kolega-scan scan ... | jq` always works.