Scanning Resources
nctl scan is the primary command group for scanning resources for policy violations and security misconfigurations. It supports a wide range of resource types — from live Kubernetes clusters and Git repositories to Terraform plans, Dockerfiles, and Helm charts — making it easy to shift-left security across your entire stack.
Subcommands
| Command | Description |
|---|---|
nctl scan kubernetes | Scan Kubernetes resources from a live cluster or local manifests against Kyverno policies |
nctl scan repository | Scan all supported resource types in a Git repository or local directory in a single command |
nctl scan terraform | Scan Terraform plan files for policy violations |
nctl scan dockerfile | Scan Dockerfiles for security and best-practice violations |
nctl scan helm | Scan Helm charts for policy violations |
nctl scan json | Scan arbitrary JSON-formatted resources |
nctl scan github-actions | Scan GitHub Actions workflow files for security vulnerabilities |
nctl scan compliance | Run a compliance scan against a Kubernetes cluster for a named standard (SOC2, NIST 800-53, PCI-DSS, etc.) |
nctl scan prompt | [Experimental] Scan LLM prompts for policy violations |
nctl scan skills | [Experimental] Scan agent skills |
Output Formats
Most scan commands support multiple output formats via the -o / --output flag:
| Format | Description |
|---|---|
text | Human-readable terminal output (default) |
json | Machine-readable JSON |
yaml | YAML output |
scan-report | Structured scan report |
sarif | SARIF format for GitHub Code Scanning integration |
Use --file to save output to a file instead of printing to stdout.
Publishing Reports
Use --publish to send scan results to Nirmata Control Hub (NCH) for centralized visibility and sharing across your team.
AI-Powered Analysis
Add --analyze to a cluster scan to get AI-powered insights and recommendations on the results.
For a fully interactive, AI-driven scanning and policy workflow, see the AI Platform Assistant.