Quick Start Guide

Get your first security scan running in under 5 minutes. This guide walks you through scanning a project and understanding the results.

Your First Scan

After installing Qryon, navigate to any project directory and run:

# Basic scan
rma scan .

# Scan with verbose output
rma scan . --verbose

# Scan specific directory
rma scan ./src

Understanding Output

Qryon outputs findings in a structured format. Here's what a typical finding looks like:

[HIGH] sql-injection in src/api/users.ts:45
  Pattern: Unsanitized user input in SQL query
  Rule: javascript/sql-injection

  42 | app.get('/users', (req, res) => {
  43 |   const id = req.query.id;
  44 |   // VULNERABLE: Direct string interpolation
> 45 |   const query = `SELECT * FROM users WHERE id = '${id}'`;
  46 |   db.query(query);
  47 | });

  Recommendation: Use parameterized queries instead of string interpolation.
  Reference: https://owasp.org/Top10/A03_2021-Injection/

Severity Levels

Level	Description	Action
`CRITICAL`	Exploitable vulnerabilities with severe impact	Fix immediately
`HIGH`	Serious security issues requiring attention	Fix before deployment
`MEDIUM`	Potential security issues worth reviewing	Review and assess
`LOW`	Minor issues or best practice violations	Fix when convenient
`INFO`	Informational findings, not vulnerabilities	For awareness

Interactive Mode

For a better experience, use interactive mode to browse findings with keyboard navigation:

rma scan --interactive

In interactive mode, you can:

Navigate findings with j/k or arrow keys
View detailed information with Enter
Filter by severity with s
Search findings with /
Switch between tabs with Tab
View call graph with g
Exit with q

Output Formats

Qryon supports multiple output formats for different use cases:

JSON Output

# Machine-readable JSON
rma scan . --format json > results.json

# Pretty-printed JSON
rma scan . --format json-pretty

SARIF for GitHub

# SARIF format for GitHub Code Scanning
rma scan . --format sarif > results.sarif

# Upload to GitHub
gh api repos/{owner}/{repo}/code-scanning/sarifs \
  -f sarif=@results.sarif

Table Output

# Compact table view
rma scan . --format table

Common Workflows

Pre-commit Hook

Run Qryon before every commit to catch issues early:

# .git/hooks/pre-commit
#!/bin/sh
rma scan --staged-only --fail-on high
if [ $? -ne 0 ]; then
  echo "Security issues found. Please fix before committing."
  exit 1
fi

CI Pipeline Check

# GitHub Actions
- name: Security Scan
  run: |
    npm install -g rma-cli
    rma scan . --format sarif > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: results.sarif

Scanning Specific Languages

# Only scan TypeScript files
rma scan . --include "**/*.ts" --include "**/*.tsx"

# Exclude test files
rma scan . --exclude "**/*.test.ts" --exclude "**/__tests__/**"

# Scan only Python
rma scan . --languages python

Configuration File

For persistent settings, create an rma.toml or .rmarc.json in your project root:

# rma.toml
[scan]
exclude = ["node_modules", "dist", "**/*.test.ts"]
fail_on = "high"

[output]
format = "table"
verbose = true

[rules]
disabled = ["style-*"]
severity_override.react-dangerouslysetinnerhtml = "critical"