CLI Mode

Advanced Mode

Full control over scanning behavior, engine selection, and output formats. For power users who need fine-grained configuration.

Overview

Advanced mode gives you complete control over Bloodhound's scanning pipeline. Select specific engines, customize rules, tune performance, and choose output formats for your exact use case.

Bash

1# Basic advanced mode
2bloodhound scan . --mode advanced
3
4# With specific engines only
5bloodhound scan . --mode advanced --engines pattern,sast,taint
6
7# Full configuration
8bloodhound scan . --mode advanced \
9  --engines pattern,sast,dependencies,taint,ai \
10  --severity high,critical \
11  --output-format sarif \
12  --parallel 8 \
13  --timeout 300

7 Engines

Selectable

7 Formats

Output options

50+ Flags

Configuration

Engine Selection

Choose which analysis engines to run based on your needs. More engines means deeper analysis but longer scan times.

Engine	Description	Default
pattern	Regex-based pattern matching (2,400+ patterns)	✓ On
sast	Static Application Security Testing with AST analysis	✓ On
dependencies	Dependency vulnerability scanning (CVE databases)	✓ On
taint	Taint analysis for data flow tracking	✓ On
symbolic	Symbolic execution for deep analysis	Off
graph	Code graph analysis for complex patterns	Off
ai	AI-powered verification and false positive reduction	✓ On

Bash

1# Fast scan: pattern matching only
2bloodhound scan . --mode advanced --engines pattern
3
4# Security audit: full pipeline
5bloodhound scan . --mode advanced --engines all
6
7# Deep analysis: add symbolic execution
8bloodhound scan . --mode advanced --engines pattern,sast,taint,symbolic
9
10# Smart contract focus
11bloodhound scan contracts/ --mode advanced --engines pattern,symbolic,graph
12
13# Exclude specific engines
14bloodhound scan . --mode advanced --engines all --exclude-engines ai
15
16# Engine-specific configuration
17bloodhound scan . --mode advanced \
18  --engines pattern,sast,taint \
19  --pattern-depth 5 \
20  --sast-max-paths 10000 \
21  --taint-interprocedural true

Custom Rules

Define custom detection rules to match your organization's specific security requirements and coding standards.

YAML

1# Load custom rules file
2bloodhound scan . --mode advanced --rules ./custom-rules.yaml
3
4# Add rules inline
5bloodhound scan . --mode advanced --add-rule "no-eval: pattern=eval\\(" --severity critical
6
7# Custom rules file example (custom-rules.yaml)
8rules:
9  # Custom pattern rule
10  - id: "internal-api-key"
11    name: "Internal API Key Exposure"
12    pattern: "INTERNAL_API_KEY\s*=\s*['"][^'"]+['"]"
13    severity: critical
14    message: "Internal API key found in source code"
15    languages: [javascript, typescript, python]
16    cwe: 798
17    remediation: "Use environment variables or secrets manager"
18
19  # Semantic rule (AST-based)
20  - id: "unsafe-deserialization"
21    name: "Unsafe Deserialization"
22    type: sast
23    ast_pattern:
24      call:
25        function: ["pickle.loads", "yaml.load", "marshal.loads"]
26        args:
27          - source: user_input
28    severity: critical
29    cwe: 502
30
31  # Taint flow rule
32  - id: "ssrf-aws-metadata"
33    name: "SSRF to AWS Metadata"
34    type: taint
35    sources:
36      - "request.params.*"
37      - "request.query.*"
38    sinks:
39      - "http.get"
40      - "fetch"
41      - "axios"
42    sanitizers:
43      - "validateUrl"
44      - "isAllowedHost"
45    message: "User input flows to HTTP request - potential SSRF"
46    severity: high
47
48  # Block rule (always fails CI)
49  - id: "block-debug-code"
50    name: "Debug Code in Production"
51    pattern: "debugger|console\.log\(|print\("DEBUG"
52    severity: info
53    block: true
54    message: "Debug code detected - remove before deployment"

Rule Testing

Test custom rules before deploying with: bloodhound test-rule ./rule.yaml --sample ./test-file.ts

Performance Tuning

Optimize scan performance for your infrastructure and codebase size.

Bash

1# Parallel processing
2bloodhound scan . --mode advanced --parallel 16  # Number of CPU cores
3
4# Memory limits
5bloodhound scan . --mode advanced --max-memory 8G
6
7# Timeout settings
8bloodhound scan . --mode advanced \
9  --timeout 600 \              # Total scan timeout (seconds)
10  --file-timeout 30 \          # Per-file timeout
11  --engine-timeout 120          # Per-engine timeout
12
13# Incremental scanning (only changed files)
14bloodhound scan . --mode advanced --incremental --since HEAD~5
15
16# Cache settings
17bloodhound scan . --mode advanced \
18  --cache-dir ~/.bloodhound/cache \
19  --cache-ttl 24h
20
21# File filtering for large codebases
22bloodhound scan . --mode advanced \
23  --include "src/**/*.ts" \
24  --exclude "**/*.test.ts" \
25  --exclude "node_modules/**" \
26  --max-file-size 1M
27
28# Sampling mode (for initial assessment)
29bloodhound scan . --mode advanced --sample 10%  # Scan 10% of files randomly
30
31# Performance profiling
32bloodhound scan . --mode advanced --profile --profile-output perf.json

Performance Recommendations

Small repos (<10K files)

Default settings work well. Enable all engines for thorough analysis.

Medium repos (10K-100K files)

Use --parallel 8 and consider --incremental for CI.

Large repos (>100K files)

Use --incremental, file filtering, and consider distributed scanning.

Output Formats

Choose the output format that fits your workflow and tooling.

json.json

Machine-readable JSON for CI/CD pipelines

sarif.sarif

SARIF 2.1.0 for GitHub/GitLab integration

html.html

Interactive HTML report with charts

markdown.md

Markdown for pull request comments

csv.csv

CSV for spreadsheet analysis

junit.xml

JUnit XML for test frameworks

sonarqube.json

SonarQube generic issue format

Bash

1# JSON output (default)
2bloodhound scan . --mode advanced --output-format json > results.json
3
4# SARIF for GitHub Code Scanning
5bloodhound scan . --mode advanced --output-format sarif > results.sarif
6
7# Multiple formats simultaneously
8bloodhound scan . --mode advanced \
9  --output results.json \
10  --output results.sarif \
11  --output results.html
12
13# Streaming output (for long scans)
14bloodhound scan . --mode advanced --stream --output-format ndjson
15
16# Custom template
17bloodhound scan . --mode advanced \
18  --output-format template \
19  --template ./custom-report.hbs
20
21# Pipeline-friendly output
22bloodhound scan . --mode advanced --output-format json --quiet | jq '.findings[] | select(.severity == "critical")'

Debugging

Debug tools for troubleshooting scan issues and understanding analysis behavior.

Bash

1# Verbose output
2bloodhound scan . --mode advanced -v        # Verbose
3bloodhound scan . --mode advanced -vv       # Very verbose
4bloodhound scan . --mode advanced -vvv      # Debug level
5
6# Dry run (show what would be scanned)
7bloodhound scan . --mode advanced --dry-run
8
9# Explain a specific finding
10bloodhound explain FINDING_ID --verbose
11
12# Show engine decision tree
13bloodhound scan . --mode advanced --show-decisions
14
15# Trace taint flow for specific finding
16bloodhound trace FINDING_ID --format dot > flow.dot
17dot -Tpng flow.dot -o flow.png
18
19# Debug specific file
20bloodhound scan ./src/api/auth.ts --mode advanced --debug-file \
21  --show-ast \
22  --show-cfg \
23  --show-taint
24
25# Export intermediate representations
26bloodhound scan . --mode advanced \
27  --export-ast ./debug/ast \
28  --export-cfg ./debug/cfg \
29  --export-cpg ./debug/cpg

Debug Output Size

Debug modes can produce very large output files. Use --debug-fileto limit debugging to specific files when investigating issues.