Run a full security scan against the repository — the same scan that the weekly recurring template runs automatically.
Usage
aigon security-scan [--since <sha>] [--no-feedback]Options
| Option | Description |
|---|---|
--since <sha> | Scan only commits after this SHA. Defaults to the SHA from the last recorded scan, or HEAD~50 on first run. |
--no-feedback | Print findings without creating feedback items |
What it does
- Runs gitleaks (secrets detection), osv-scanner (dependency CVEs), semgrep (SAST), and npm audit against changed files since
--since - Invokes the
/security-reviewskill viaclaude --printfor an LLM-layer analysis of the same diff - Deduplicates findings using fingerprints stored in
.aigon/security-scan-state.json— repeat findings from previous scans are skipped - For each HIGH-severity finding that hasn’t been seen before, creates an
aigon feedback-createitem automatically - Prints a summary of findings, skipped duplicates, and feedback items created
Difference from merge-gate scanning
The merge-gate (feature-close, agent-status implementation-complete / revision-complete) runs a fast diff-aware scan scoped to the current branch. aigon security-scan runs a broader scan across the full commit range since the last scan, including commits from all branches merged to main. Use the on-demand command for repo-wide health checks; the merge gate catches regressions at submission time.
Suppression
Findings can be suppressed by adding their fingerprint to .aigon/security-suppressions.json. Suppressed findings are skipped in future scans without creating feedback items. The weekly recurring scan (security-scan-weekly) respects the same suppression file.
Example
# Full scan since last recorded SHA
aigon security-scan
# Scan a specific range without filing feedback items
aigon security-scan --since abc1234 --no-feedbackRequired tools
At least one scanner must be installed for non-LLM findings. Install all for full coverage:
brew install gitleaks
brew install semgrep # or: pip install semgrep
brew install osv-scanner
npm install -g npm # ensures npm audit is currentMissing tools are skipped with a warning — the LLM layer runs regardless.
See also
- Security Scanning guide — merge gate config, scanner behaviour table