Skip to main content
drako scan analyzes your project using Python AST — fully offline, no network calls, no signup required. It generates a governance score, an Agent BOM, and actionable findings across security, compliance, and determinism categories.

Usage

drako scan [PATH] [OPTIONS]
PATH defaults to . (current directory).

Options

--format
terminal | json | sarif
default:"terminal"
Output format. terminal renders a Rich report in the console. json emits a structured JSON object. sarif emits a SARIF 2.1 document suitable for upload to GitHub Code Scanning.
--upload
flag
Upload results to Drako for a shareable URL and score badge. Anonymous uploads expire after 7 days. Pass --api-key or set DRAKO_API_KEY for authenticated uploads.
--api-key
string
API key for authenticated upload. Can also be set via the DRAKO_API_KEY environment variable.
--endpoint
string
default:"https://api.getdrako.com"
Backend endpoint used when --upload is set. Override with the DRAKO_ENDPOINT environment variable.
--framework
string
Comma-separated list of frameworks to detect (e.g. crewai,langgraph). When omitted, all supported frameworks are auto-detected.
--share
flag
Print a shareable score card and pre-redacted social posts after the scan.
--details
flag
Show impact analysis and attack scenarios for each finding.
--baseline
flag
Save current findings as the baseline. Future scans will only show findings that are new since this baseline.
--show-all
flag
Ignore the saved baseline and show every finding regardless of prior acknowledgement.
--benchmark
flag
Compare your governance score against anonymized benchmark data for your framework.
--determinism
flag
Filter output to show only determinism findings (DET-* rules).
--threshold-det
integer
default:"0"
Exit with code 1 if the determinism score is below this value. Used for CI gating on determinism.
--fail-on
critical | high | medium | low
Exit with code 1 if any finding at this severity or above is detected. Use for CI gating.
--diff
string
Only report findings in files changed since the given git ref (e.g. HEAD~1, origin/main). Requires git to be installed.

Output formats

Default. Rich-formatted console output with score, grade, Agent BOM summary, and a findings table with severity colours.
drako scan .

Exit codes

CodeCondition
0Scan completed with no CRITICAL findings and no CI gate triggered.
1One or more CRITICAL findings detected (always).
1--fail-on threshold met — at least one finding at the specified severity or above.
1--threshold-det set and the determinism score fell below the threshold.
1--diff was set but git is not installed, or git diff failed.
CRITICAL findings always trigger exit code 1 regardless of other flags. This behaviour cannot be disabled.

Examples

# Basic scan of the current directory
drako scan .

# Scan a subdirectory
drako scan path/to/agent-module/

# CI gate: fail on any HIGH or above finding
drako scan . --fail-on high

# CI gate on determinism score
drako scan . --threshold-det 80

# Only scan files changed in the last commit
drako scan . --diff HEAD~1

# Export SARIF for GitHub Code Scanning
drako scan . --format sarif > results.sarif

# Upload results and get a shareable URL
drako scan . --upload --api-key $DRAKO_API_KEY

# Save current findings as the baseline (acknowledge existing issues)
drako scan . --baseline

# Show only new findings since baseline
drako scan .

# Show everything, ignoring baseline
drako scan . --show-all

# Scan with detailed attack scenario output
drako scan . --details
Run drako scan . before drako init so that init can read the cached scan results and pre-populate your .drako.yaml with real agents, tools, and models.

Build docs developers (and LLMs) love

Get started for freeTalk to us