Running a Scan 🏃

nexploit-cli scan:run [options] starts a new scan with the received configuration.

This command enables you to specify one or more discovery strategies. For example, using the --crawler option and/or the generated HAR files, separately or concurrently. This means that you can handle client-side dynamic content, JavaScript and so on.



If the maximum number of scans that can be run simultaneously is exceeded, the scan is placed in the queue. The concurrent scans limitation can be set either for the entire organization or for this particular project in the project settings. The new scan will start as soon as you manually stop another running scan or when the current scan is completed.


Option Description
The unique identifier used to authenticate a user. The token (API key) can be issued in your organization’s dashboard.
The name of the scan.
The archive ID, which can be received via the archive:upload command.
Specifies a list of specific URLs that should be included during crawler discovery.
--agent=repeaterId (Deprecated)
Specifies a list of Repeater UUIDs that should be connected with the scan.
--cluster NeuraLegion cluster (domain name).

--project, -p Allows specifying the NeuraLegion project for a scan using the project ID. You can find the project ID in the Projects section in the NeuraLegion App.
--integration, -i Allows connecting a ticketing service with an associated repository for a scan. It enables you to get the reports on every detected vulnerability in automatically opened tickets/issues of the associated repository.

Note: You can only connect a ticketing service (system) that was previously integrated with NeuraLegion in the NeuraLegion App. Read more about integrating Nexpoloit with ticketing systems here.

Format: -i "service:repository"
Example: -i "github:example-app"
If you want to connect several repositories for one scan, you can specify them one after another: -i "github:example-app" -i "jira:example-app"


  • To connect a ticketing service and a repository for a scan, the token (API key) that you use for the scan must include the integration.repos:read scope.
  • The --integration (-i) parameter cannot be used without a valid
    --project (-p) parameter (see above). Make sure that you connect a repository associated with the specified project.
--smart Enables you to use automatic smart decisions, such as parameter skipping, detection phases and so on to minimize scan time. When set to false (turned off), all tests are run on all parameters, which increases the coverage at the expense of scan time.

Default: --smart true
Defines which part of the request to attack (see here for more details).

Note: This argument can be passed multiple times in the same command.

Default: --parameter body query fragment.
--module=dast/fuzzer The DAST module tests for specific scenarios, such as OWASP top 10 and other common scenarios. The fuzzer module generates various new scenarios in order to test for unknown issues, providing automated AI-guided fuzz testing.

Default: --module dast
The list of specific hosts to be included in the scan.
Extra headers to be passed with the archive file. It can also be used to remove a header by providing a name without content. For example, -H "Host:".

Warning: Headers set with this option override the archive headers and are set in all the requests.
--test=testName Specifies a list of relevant tests to execute during a scan.
For example, --test default_login_location dom_xss.
Specifies the ID of the authentication object to be connect to the scan. Find more info about using an authentication object at Manging Your Authentications.
--config=pathToConfig Specifies the path to the configuration file. By default, the CLI tries to discover the config in package.json in the root directory of your application or a separate file by a specified name in the working directory. For details, see Configuration Files for more information.
Allows setting the level of logs to report. Any logs of a higher level than the one specified are shown. The options to select : 0, 1, 2, 3, 4, "silent", "error", "warn", "notice", "verbose".

Default: 3
--insecure Allows the Nexploit CLI to proceed and operate even if the server connection is considered insecure.
--proxy=socksProxyUrl SOCKS URL to proxy all traffic.

Note: SOCKS4, SOCKS5, SOCKS4a, SOCKS5h are currently supported. By default, if you specify SOCKS://<URL> , then SOCKS5h is applied.
--api=clusterUrl (Deprecated). Set the API endpoint domain, for VPC, use: --api

Default: --api

Did this page help you?