Merlinmerlin scan
Interactive security scanning with Bandit and Pylint integration. Local vulnerability detection with drill-down capability and multiple output formats.
Basic Usage
# Scan current directory (interactive by default) merlin scan # Scan specific path merlin scan --path ./src # Text output format merlin scan --format text
Security Note
The merlin scan command never uploads your code. All analysis happens locally on your machine, ensuring your source code remains private and secure.
What Gets Scanned
Code Vulnerabilities (Bandit)
- Hardcoded passwords
- SQL injection risks
- Shell injection
- Insecure random generators
- Weak cryptography
Code Quality & Security (Pylint)
- Security-related code issues
- Error detection
- Warning identification
- Code quality concerns
- Best practice violations
Advanced Options
--pathPath to scan for security issues
--toolSpecific tools to run (can be used multiple times)
--severityFilter by minimum severity level
--formatOutput format (interactive, json, text)
--no-cacheSkip cache and force fresh scan
--configOptional config file for underlying tools
Example Security Report
Usage Tips
Interactive Mode
Use the default interactive format to navigate through findings with arrow keys, press Enter to drill down, and Esc to go back.
JSON Output for Automation
Export scan results as JSON for integration with other tools and automated pipelines.
Tool Selection
Use --tool multiple times to run specific security tools. Currently available tools: bandit, pylint.
Related Commands
Combine security scanning with other Merlin analysis tools for comprehensive code review.