nctl scan prompt
[Experimental] scan LLM prompts
nctl scan prompt [flags]
Examples
# Scan prompts in a config file
nctl scan prompt -r path/to/prompts.yaml -p path/to/policy.yaml
# Scan a directory of prompt files
nctl scan prompt -r path/to/prompts/ -p policies/prompts-baseline.yaml
# Scan a prompt string directly
nctl scan prompt --string "You are a helpful assistant..." -p path/to/policy.yaml
# Read prompt from stdin
echo "You are a helpful assistant..." | nctl scan prompt --stdin -p path/to/policy.yaml
# Scan with minimum confidence threshold for file extraction
nctl scan prompt -r path/to/config/ -p path/to/policy.yaml --min-confidence 0.6
# Scan with audit mode enabled (violations reported as warnings)
nctl scan prompt -r path/to/prompts.yaml -p path/to/policy.yaml --audit-as-warn
# Output results in JSON format
nctl scan prompt -r path/to/prompts.yaml -p path/to/policy.yaml -o json
# Filter policies by severity
nctl scan prompt -r path/to/prompts.yaml -p path/to/policies/ --selector "severity=critical"
# Enable AI-assisted classification (uses Nirmata by default)
nctl scan prompt -r path/to/prompts.yaml -p path/to/policy.yaml --ai-check
# AI classification with a specific provider
nctl scan prompt -r path/to/prompts.yaml -p path/to/policy.yaml --ai-check --ai-provider gemini --ai-model gemini-2.5-pro
Options
--ai-check Enable AI-assisted prompt classification (requires Nirmata authentication)
--ai-model string AI model for --ai-check (defaults to provider's default model)
--ai-provider string AI provider for --ai-check (nirmata, gemini, anthropic, bedrock, azopenai) (default "nirmata")
--audit-as-warn Report violations from policies in audit mode as warnings instead of failures
--details Show result details for violating resources (default true)
--file string[="scan-report"] Output file (if --file is used without a value, defaults to 'scan-report')
--git-token string Git authentication token (for Git URLs in --policies)
--git-username string Git username (for Git URLs in --policies)
-h, --help help for prompt
--insecure allow connection to a Nirmata server with a insecure certificate (not recommended)
--min-confidence float Minimum confidence threshold for file-based prompt extraction (0.0-1.0) (default 0.5)
--no-color disable the colors for the stdout reports
-o, --output string Output format (text, json, yaml, scan-report, sarif) (default "text")
-p, --policies strings Path to policy files (optional; bundled defaults used when omitted)
--publish Publish reports
--publish-token string scan reports publish token
--report-sourceid string Add source id for report created for local scan
-r, --resources strings Path to resource files/directories (YAML, JSON, TOML, txt, md)
--risk-threshold int Fail if aggregate risk score meets or exceeds this value (0 = disabled)
--scan-report string Output scan report file (in JSON format)
--selector stringArray Filter policies by annotation (key=value). Key is shorthand for policies.kyverno.io/{key}. Multiple selectors with the same key are OR'd; different keys are AND'd. Example: --selector severity=critical --selector severity=high
--stdin Read prompt text from stdin
--string string Provide prompt text directly as a string
--token string the Nirmata API Login Key (env NIRMATA_TOKEN)
--url string the Nirmata server base URL (env NIRMATA_URL)
Options inherited from parent commands
-v, --v Level number for the log level verbosity
SEE ALSO
- nctl scan - Scan resources