Scanning Resources
nctl scan is the primary command group for scanning resources for policy violations and security misconfigurations. It supports a wide range of resource types — from live Kubernetes clusters and Git repositories to Terraform plans, Dockerfiles, and Helm charts — making it easy to shift-left security across your entire stack.
Subcommands
| Command | Description |
|---|---|
nctl scan kubernetes | Scan Kubernetes resources from a live cluster or local manifests against Kyverno policies |
nctl scan repository | Scan all supported resource types in a Git repository or local directory in a single command |
nctl scan terraform | Scan Terraform plan files for policy violations |
nctl scan dockerfile | Scan Dockerfiles for security and best-practice violations |
nctl scan helm | Scan Helm charts for policy violations |
nctl scan json | Scan arbitrary JSON-formatted resources |
nctl scan github-actions | Scan GitHub Actions workflow files for security vulnerabilities |
nctl scan compliance | Run a compliance scan against a Kubernetes cluster for a named standard (SOC2, NIST 800-53, PCI-DSS, etc.) |
nctl scan prompt | [Experimental] Scan LLM prompts for policy violations |
nctl scan skills | [Experimental] Scan agent skills |
Output Formats
Most scan commands support multiple output formats via the -o / --output flag:
| Format | Description |
|---|---|
text | Human-readable terminal output (default) |
json | Machine-readable JSON |
yaml | YAML output |
scan-report | Structured scan report |
sarif | SARIF format for GitHub Code Scanning integration |
Use --file to save output to a file instead of printing to stdout.
Publishing Reports
Use --publish to send scan results to Nirmata Control Hub (NCH) for centralized visibility and sharing across your team.
Authentication for Publishing
Publishing requires authentication with NCH. There are two ways to authenticate:
- User API key — Set via
nctl login, theNIRMATA_TOKENenvironment variable, or~/.nirmata/config. Used by default when no other token is provided. - Service Account token — Set via the
NIRMATA_SERVICE_ACCOUNT_TOKENenvironment variable or the--publish-tokenflag. Recommended for CI/CD pipelines and automation workflows where user credentials should not be stored.
For details on setting up and using Service Account tokens, see Service Account Authentication.
AI-Powered Analysis
Add --analyze to a cluster scan to get AI-powered insights and recommendations on the results.
For a fully interactive, AI-driven scanning and policy workflow, see the AI Platform Assistant.