PromptShieldCLI Commands
Detailed reference for PromptShield CLI commands.
The @promptshield/cli package provides a suite of commands to run the scanning engine across your workspace, fix issues automatically, and enforce deterministic sanitization.
All commands support resolving configuration from a promptshield.config.json file in your workspace root.
🔍 scan
The primary command for detecting threats in your codebase.
Usage:
promptshield scan [patterns...]By default, without patterns, it scans **/*.
Options:
| Flag | Type | Description |
|---|---|---|
-c, --config <path> | string | Path to a custom configuration file. |
--min-severity <level> | LOW | MEDIUM | HIGH | CRITICAL | Only report threats at or above this severity. |
--no-inline-ignore | boolean | Ignore promptshield-ignore directives in source files. |
--concurrency <num> | number | Number of files to process simultaneously. |
--cache <mode> | auto | single | split | none | Control the caching strategy. Default is auto. |
--force | boolean | Ignore cache and force a full workspace rescan. |
--json | boolean | Output results as a machine-readable JSON array. |
Exit Codes:
0: Scan completed, no threats found above themin-severitythreshold.1: Scan completed, threats were found. This intentionally breaks CI/CD pipelines.
🛠 fix
The fix command runs the scanner and attempts to automatically resolve non-destructive issues (like removing invisible characters or un-smuggling Base64 payloads) using the deterministic rules in @promptshield/sanitizer.
Usage:
promptshield fix [patterns...]Options:
Supports all the options of the scan command, plus:
| Flag | Type | Description |
|---|---|---|
-w, --write | boolean | Persist the fixed files back to disk. If omitted, fix runs in a "dry-run" mode. |
Exit Codes:
0: Completed successfully. If--writeis specified, files were modified.1: Scan found threats that could not be automatically fixed.
🚿 sanitize
The sanitize command is a lower-level utility that runs the entire sanitization pipeline over the matched files, ignoring the detection engine entirely.
It is idempotent and guarantees a clean state, regardless of whether a specific threat was detected.
Usage:
promptshield sanitize [patterns...]Options:
| Flag | Type | Description |
|---|---|---|
-w, --write | boolean | Persist the sanitized files back to disk. If omitted, sanitize runs in a "dry-run" mode. |
--strict | boolean | Apply NFKC Unicode normalization. Warning: This can be destructive to intentional typography or mathematical symbols. |
--concurrency <num> | number | Number of files to process simultaneously. |
Exit Codes:
0: Completed successfully.
Example Workflows
CI/CD Pipeline (Fail on HIGH/CRITICAL):
promptshield scan --min-severity HIGHPre-commit Hook Setup (Fix automatically):
promptshield fix "**/*.ts" "**/*.md" --writeAggressive Content Cleanup:
promptshield sanitize content/**/*.md --write --strict