Skip to content

COMMANDS.md

Latest commit

 

History

History
148 lines (106 loc) · 3.12 KB

COMMANDS.md

File metadata and controls

148 lines (106 loc) · 3.12 KB

Commands

start

Start a friendly guided scan wizard.

frontguard start
fguard start

Use this when you want Frontguard to guide you step by step instead of remembering flags.

The wizard can help you run:

  • Normal scans for folders, frontend builds, URLs, and localhost apps
  • Deep active browser scans
  • HAR file scans
  • Saved JSON report rendering

It asks for:

  • The scan type
  • The folder, URL, localhost address, HAR file, or report file
  • The output style
  • Whether to include third-party evidence

Example flow:

Frontguard guided scan
What do you want to scan?
  1. Normal scan
  2. Deep active scan
  3. HAR file
  4. Render saved JSON report

How should Frontguard show the report?
  1. Copy-friendly Markdown
  2. Readable terminal summary
  3. Markdown file
  4. JSON file
  5. SARIF file

scan

Scan a local directory, frontend build, URL, or localhost app.

frontguard scan ./dist
fguard scan ./dist
frontguard scan ./.next
frontguard scan ./build
frontguard scan http://localhost:3000
frontguard scan https://example.com

Directory scans inspect files such as:

  • .js
  • .mjs
  • .cjs
  • .map
  • .html
  • .json
  • .txt

URL scans fetch the HTML, same-site script references, and response headers. They do not authenticate, crawl aggressively, submit forms, or mutate data.

By default, URL and deep scans focus findings on the target's own origin and same-site subdomains. For example, app.example.com and api.example.com are treated as the same product surface, while analytics scripts on unrelated domains are treated as third party noise. To include third-party evidence intentionally:

frontguard scan https://example.com --include-third-party

scan-har

Scan a HAR file exported from browser DevTools.

frontguard scan-har ./session.har --copy
fguard scan-har ./session.har --copy

HAR scans can analyze:

  • Request URLs
  • Request methods
  • Request bodies
  • Response bodies when present in the HAR
  • Response headers
  • GraphQL traffic
  • Sensitive fields in JSON responses

deep-scan

Open a browser, capture traffic while you interact, and press Enter to stop.

frontguard deep-scan http://localhost:3000 --copy
fguard deep-scan http://localhost:3000 --copy

Deep scan is useful when you want CLI behavior similar to the extension's active/deep mode.

It captures:

  • Requests
  • Request bodies
  • Response status
  • Text/JSON response bodies
  • Response headers

It does not click, fuzz, replay, or mutate by itself.

If Playwright browsers are not installed, Frontguard tries the system Chrome and Microsoft Edge first. If none are available, run:

npx playwright install chromium

rules list

List detector categories.

frontguard rules list

report

Render a saved Frontguard JSON report into another format.

frontguard scan ./dist --json --output report.json
frontguard scan ./dist --json --raw --output full-evidence.json
frontguard report report.json --markdown --output report.md
frontguard report report.json --sarif --output report.sarif

init

Create a starter config file.

frontguard init