CLI
The recon-web CLI lets you run scans, inspect individual handlers, and integrate results into CI/CD pipelines — all from the terminal.
Installation
Section titled “Installation”Clone the monorepo and install dependencies:
git clone https://github.com/brunoafk/recon-web.gitcd recon-webnpm installThe CLI entry point is in packages/cli. You can run it directly with:
node packages/cli/dist/index.js scan example.comOr link it globally during development:
npm run buildnpm link --workspace=packages/clirecon-web scan example.comNo installation needed. Pull and run the pre-built image:
docker run --rm ghcr.io/brunoafk/recon-web/cli scan example.comCommands
Section titled “Commands”scan — full scan (default)
Section titled “scan — full scan (default)”Run all analysis handlers against a URL:
recon-web scan https://example.comThe scan command is the default, so you can also write:
recon-web https://example.comIndividual handler commands
Section titled “Individual handler commands”Every registered handler is available as a sub-command. These are auto-generated from the handler registry, so the list grows as new handlers are added. Examples:
recon-web ssl https://example.comrecon-web dns https://example.comrecon-web headers https://example.comrecon-web ports https://example.comrecon-web whois https://example.comrecon-web tech-stack https://example.comRun recon-web --help to see the full list of available handlers.
Output formats
Section titled “Output formats”Colored text (default)
Section titled “Colored text (default)”The default output uses coloured text with category badges, status indicators, and compact summaries:
recon-web scan https://example.comAdd --verbose (-v) for expanded output showing all fields:
recon-web scan -v https://example.comUse --json or --format json to get machine-readable output:
recon-web scan --json https://example.com > results.jsonThe JSON output contains { url, results } where results is a map of handler names to their result objects.
JUnit XML
Section titled “JUnit XML”Use --format junit to produce JUnit XML, suitable for CI test reporters:
recon-web scan --format junit https://example.com > results.xmlEach handler becomes a <testcase>. Handlers that errored become <failure> elements and skipped handlers become <skipped> elements.
CI/CD integration
Section titled “CI/CD integration”Fail-on rules
Section titled “Fail-on rules”The --fail-on flag causes the CLI to exit with code 1 if specified conditions are met. This lets you gate deployments on security criteria.
recon-web scan --fail-on ssl:expired https://example.comRules follow the format handler:condition[:value]. Supported conditions:
| Rule | Meaning |
|---|---|
ssl:expired | Fail if the SSL certificate is expired |
security-score:below:80 | Fail if the handler’s score field is below the threshold |
headers:missing:content-security-policy | Fail if a specific field is missing from the result |
Multiple rules can be passed:
recon-web scan \ --fail-on ssl:expired \ --fail-on security-score:below:80 \ https://example.comJUnit for test reporters
Section titled “JUnit for test reporters”Most CI systems (GitHub Actions, GitLab CI, Jenkins) can ingest JUnit XML to display test results in the UI:
# GitHub Actions example- name: Security scan run: recon-web scan --format junit https://staging.example.com > scan-results.xml
- name: Publish results uses: mikepenz/action-junit-report@v4 with: report_paths: scan-results.xmlDiff comparison
Section titled “Diff comparison”Compare the current scan against a saved baseline to detect changes:
# Save a baselinerecon-web scan --json https://example.com > baseline.json
# Later, compare against itrecon-web scan --diff baseline.json https://example.comThe diff output highlights handlers that were added, removed, or changed between the two scans.
The --only flag
Section titled “The --only flag”Run a subset of handlers by passing a comma-separated list:
recon-web scan --only ssl,dns,headers https://example.comThis is useful for faster, focused scans when you only care about specific checks.
Docker usage
Section titled “Docker usage”The CLI Docker image works exactly like the local CLI. Pass arguments after the image name:
# Full scandocker run --rm ghcr.io/brunoafk/recon-web/cli scan https://example.com
# JSON outputdocker run --rm ghcr.io/brunoafk/recon-web/cli scan --json https://example.com
# Single handlerdocker run --rm ghcr.io/brunoafk/recon-web/cli ssl https://example.com
# With API keysdocker run --rm \ -e GOOGLE_CLOUD_API_KEY=your-key \ ghcr.io/brunoafk/recon-web/cli scan https://example.com
# Fail-on in CIdocker run --rm ghcr.io/brunoafk/recon-web/cli \ scan --fail-on ssl:expired --format junit https://example.comConfiguration
Section titled “Configuration”The CLI reads configuration from two sources:
.recon-web.json— looked up first in the current directory, then in your home directory. SupportsapiKeysandchromePath.- Environment variables — override the config file. The same
GOOGLE_CLOUD_API_KEY,VIRUSTOTAL_API_KEY, etc. variables used by the API server work with the CLI.
Example .recon-web.json:
{ "apiKeys": { "GOOGLE_CLOUD_API_KEY": "AIza...", "VIRUSTOTAL_API_KEY": "abcdef..." }, "chromePath": "/usr/bin/chromium"}