--- title: "Scanning Resources" description: "Overview of nctl scan commands for Kubernetes clusters, Terraform, Dockerfiles, Helm charts, and more" diataxis: how-to applies_to: product: "nctl" audience: ["developer","platform-engineer"] last_updated: 2026-04-16 url: https://docs.nirmata.io/docs/nctl/scan/ --- `nctl scan` is the primary command group for scanning resources for policy violations and security misconfigurations. It supports a wide range of resource types — from live Kubernetes clusters and Git repositories to Terraform plans, Dockerfiles, and Helm charts — making it easy to shift-left security across your entire stack. ## Subcommands | Command | Description | |---------|-------------| | [`nctl scan kubernetes`](/docs/nctl/commands/nctl_scan_kubernetes/) | Scan Kubernetes resources from a live cluster or local manifests against Kyverno policies | | [`nctl scan repository`](/docs/nctl/commands/nctl_scan_repository/) | Scan all supported resource types in a Git repository or local directory in a single command | | [`nctl scan terraform`](/docs/nctl/commands/nctl_scan_terraform/) | Scan Terraform plan files for policy violations | | [`nctl scan dockerfile`](/docs/nctl/commands/nctl_scan_dockerfile/) | Scan Dockerfiles for security and best-practice violations | | [`nctl scan helm`](/docs/nctl/commands/nctl_scan_helm/) | Scan Helm charts for policy violations | | [`nctl scan json`](/docs/nctl/commands/nctl_scan_json/) | Scan arbitrary JSON-formatted resources | | [`nctl scan github-actions`](/docs/nctl/commands/nctl_scan_github-actions/) | Scan GitHub Actions workflow files for security vulnerabilities | | [`nctl scan compliance`](/docs/nctl/commands/nctl_scan_compliance/) | Run a compliance scan against a Kubernetes cluster for a named standard (SOC2, NIST 800-53, PCI-DSS, etc.) | | [`nctl scan prompt`](/docs/nctl/commands/nctl_scan_prompt/) | [Experimental] Scan LLM prompts for policy violations | | [`nctl scan skills`](/docs/nctl/commands/nctl_scan_skills/) | [Experimental] Scan agent skills | ## Output Formats Most scan commands support multiple output formats via the `-o` / `--output` flag: | Format | Description | |--------|-------------| | `text` | Human-readable terminal output (default) | | `json` | Machine-readable JSON | | `yaml` | YAML output | | `scan-report` | Structured scan report | | `sarif` | SARIF format for GitHub Code Scanning integration | Use `--file` to save output to a file instead of printing to stdout. ## Publishing Reports Use `--publish` to send scan results to Nirmata Control Hub for centralized visibility and sharing across your team. ### Authentication for Publishing Publishing requires authentication with Nirmata Control Hub. There are two ways to authenticate: - **User API key** — Set via `nctl login`, the `NIRMATA_TOKEN` environment variable, or `~/.nirmata/config`. Used by default when no other token is provided. - **Service Account token** — Set via the `NIRMATA_SERVICE_ACCOUNT_TOKEN` environment variable or the `--publish-token` flag. Recommended for CI/CD pipelines and automation workflows where user credentials should not be stored. For details on setting up and using Service Account tokens, see [Service Account Authentication](./service-accounts/). ## AI-Powered Analysis Add `--analyze` to a cluster scan to get AI-powered insights and recommendations on the results. For a fully interactive, AI-driven scanning and policy workflow, see the [Nirmata Assistant](/docs/ai/nctl-ai/).