Scanning
Deep dive into Qryon's scanning capabilities, options, and optimization techniques for maximum effectiveness.
Scan Command Overview
rma scan [OPTIONS] [PATH]
Arguments:
[PATH] Path to scan (default: current directory)
Options:
-f, --format <FORMAT> Output format [table|json|sarif|interactive]
-o, --output <FILE> Write output to file
-v, --verbose Enable verbose output
-q, --quiet Suppress non-essential output
--include <PATTERN> Include files matching pattern
--exclude <PATTERN> Exclude files matching pattern
--languages <LANGS> Scan only specific languages
--fail-on <SEVERITY> Exit non-zero if findings >= severity
--max-file-size <SIZE> Skip files larger than SIZE (default: 1MB)
--no-cache Disable analysis caching
--jobs <N> Number of parallel workers (default: auto)
--interactive Launch interactive TUI
-h, --help Print helpParallel Processing
Qryon uses Rayon for parallel file processing, automatically scaling to available CPU cores. This enables scanning millions of lines of code in seconds.
# Use all available cores (default)
rma scan .
# Limit to 4 workers
rma scan . --jobs 4
# Single-threaded (for debugging)
rma scan . --jobs 1Performance Benchmarks
| Codebase Size | Files | Scan Time | Memory |
|---|---|---|---|
| Small (10K LOC) | ~100 | <1s | ~50MB |
| Medium (100K LOC) | ~1,000 | 2-5s | ~150MB |
| Large (1M LOC) | ~10,000 | 15-30s | ~500MB |
| Monorepo (10M LOC) | ~100,000 | 2-5min | ~2GB |
Analysis Caching
Qryon uses content-hash based caching to avoid re-analyzing unchanged files. The cache is stored in ~/.cache/rma/ by default.
# Normal scan (uses cache)
rma scan .
# Force full re-scan
rma scan . --no-cache
# Clear cache
rma cache clear
# Show cache statistics
rma cache statsCache keys are computed from file content hashes, enabled rules, and Qryon version. This means cache invalidation happens automatically when any of these change.
File Selection
Include/Exclude Patterns
Use glob patterns to control which files are scanned:
# Scan only src directory
rma scan ./src
# Include specific patterns
rma scan . --include "src/**/*.ts" --include "lib/**/*.ts"
# Exclude patterns
rma scan . --exclude "**/*.test.ts" --exclude "**/node_modules/**"
# Combine include and exclude
rma scan . \
--include "**/*.{ts,tsx}" \
--exclude "**/__tests__/**" \
--exclude "**/*.spec.ts"Language Filtering
# Scan specific languages
rma scan . --languages javascript,typescript
rma scan . --languages python
rma scan . --languages rust,go
# Available languages:
# javascript, typescript, python, rust, go, javaFile Size Limits
# Skip files larger than 500KB
rma scan . --max-file-size 500KB
# Skip files larger than 2MB
rma scan . --max-file-size 2MB
# No size limit (may be slow on large files)
rma scan . --max-file-size 0Analysis Depth
Basic Scan (Default)
Pattern matching and basic static analysis:
rma scan .Deep Scan
Includes cross-file analysis and taint tracking:
rma scan . --deepFull Analysis
Everything including call graph generation:
rma scan . --full| Mode | Pattern Match | Intra-file Flow | Cross-file Flow | Call Graph |
|---|---|---|---|---|
| Basic | ✓ | ✓ | - | - |
| Deep | ✓ | ✓ | ✓ | - |
| Full | ✓ | ✓ | ✓ | ✓ |
Scan Targets
Local Directory
rma scan /path/to/projectGit Repository
# Scan only staged files
rma scan --staged-only
# Scan files changed in a branch
rma scan --diff main
# Scan specific commit range
rma scan --diff HEAD~5..HEADSingle File
rma scan ./src/api/auth.tsStandard Input
# Pipe code through stdin
cat vulnerable.js | rma scan --stdin --language javascript
# Analyze clipboard content
pbpaste | rma scan --stdin --language pythonExit Codes
Qryon uses exit codes to indicate scan results for CI/CD integration:
| Code | Meaning |
|---|---|
0 | Success, no findings above threshold |
1 | Findings above threshold found |
2 | Configuration or input error |
3 | Internal error |
# Fail on high or critical findings
rma scan . --fail-on high
# Fail only on critical findings
rma scan . --fail-on critical
# Never fail (always exit 0)
rma scan . --fail-on noneProgress and Logging
# Show progress bar
rma scan . --progress
# Verbose logging
rma scan . --verbose
# Debug logging
RUST_LOG=debug rma scan .
# Quiet mode (only findings)
rma scan . --quietMemory Management
For very large codebases, you can tune memory usage:
# Limit memory usage
rma scan . --max-memory 4GB
# Use streaming mode for huge repos
rma scan . --streaming
# Reduce parallelism to lower memory
rma scan . --jobs 2