Configuration

Decoy Scan doesn't take a config file. The default — auto-discover every MCP client config, probe every server, run every check — is the right answer for nearly every setup. Flags cover the edge cases.

Common flag combinations

CI with a policy gate

npx decoy-scan --sarif --no-advisories > decoy.sarif

Emits SARIF for code scanning, skips the advisory database round-trip (save ~1s in CI; the action handles advisories separately).

Config-only audit

npx decoy-scan --no-probe

Analyzes client configs and known supply-chain signals without spawning servers. Useful on air-gapped machines.

Brief summary for scripting

npx decoy-scan --json --brief

Minimal JSON: { servers, critical, high, medium, low, poisoned, status }.

Upload and share

npx decoy-scan --report --token=$DECOY_TOKEN   # Upload to dashboard
npx decoy-scan --share                         # Public shareable URL

Full flag reference

Run npx decoy-scan --help for the current list, or see Scan overview.