CLI Cheatsheet¶
TL;DR
Quick reference for every gouvernante flag, common command patterns, and Makefile targets. Print this page and pin it next to your terminal.
Who is this for?
Audience: Developers and operators who use gouvernante regularly. Reading time: ~3 minutes.
Command-line flags¶
gouvernante [flags]
| Flag | Type | Default | Description |
|---|---|---|---|
-rules |
string |
(required) | Directory containing rule JSON files. |
-dir |
string |
. |
Directory to scan for lockfiles. |
-lockfile |
string |
Path to a specific lockfile (overrides -dir). |
|
-recursive |
bool |
false |
Recursively scan subdirectories for lockfiles. |
-host |
bool |
false |
Also check host filesystem for IOC artifacts. |
-heuristic |
bool |
false |
Scan JS/shell files for malware patterns (no rules needed). |
-output |
string |
Write report to file. Use auto for a timestamped filename. |
|
-json |
bool |
false |
Output findings as JSON instead of text. |
-trace |
bool |
false |
Enable debug-level logging. |
Common patterns¶
Scan a project directory¶
gouvernante -rules ./rules -dir ./my-project
Scan a specific lockfile¶
gouvernante -rules ./rules -lockfile ./my-project/pnpm-lock.yaml
JSON output for CI pipelines¶
gouvernante -rules ./rules -dir . -json
Include host filesystem checks¶
gouvernante -rules ./rules -dir . -host
Write report to a file¶
# Explicit filename
gouvernante -rules ./rules -dir . -output report-heuristics.txt
# Auto-generated timestamped filename
gouvernante -rules ./rules -dir . -output auto
Recursive scan of all subdirectories¶
gouvernante -rules ./rules -dir . -recursive
Recursive scan with host checks¶
gouvernante -rules ./rules -dir . -recursive -host
Heuristic scan (no rules needed)¶
gouvernante -heuristic -dir ./my-project
Recursive heuristic scan with JSON output¶
gouvernante -heuristic -dir . -recursive -json
Full scan with JSON output saved to file¶
gouvernante -rules ./rules -dir . -host -json -output auto
Makefile targets¶
Run these from the repository root with make <target>.
| Target | Description |
|---|---|
make all |
Ensure tools, format, lint, cover, build, licenses, and run integration tests. |
make build |
Cross-compile 5 platforms (output in dist/binaries/). |
make test |
Run all tests with the race detector (go test -mod=vendor -race). |
make cover |
Run tests with coverage report (output in dist/reports/). |
make scan |
Run scan on testdata/ (output in dist/reports/). |
make fmt |
Format code with gofumpt and goimports. |
make fmt-check |
Check formatting without modifying files. |
make vet |
Run go vet on all packages. |
make staticcheck |
Run staticcheck on all packages. |
make lint |
Run golangci-lint (includes vet). |
make vendor |
Update vendor/ directory from go.mod. |
make vendor-check |
Verify vendor/ is consistent with go.mod. |
make licenses |
Generate third-party license report in dist/reports/. |
make setup |
Install all development tools. |
make test-integration |
Run Docker integration tests. |
make clean |
Remove dist/ and reports. |
make demo |
Build and run a demo scan against testdata/. |
Next Steps¶
- Understand exit codes --> Exit Codes
- Set up CI/CD --> CI/CD Integration
- Run your first scan --> Quickstart