lintel run¶
The main command. Executes the nine-stage pipeline and emits a report.
Usage¶
Flags¶
| Flag | Default | Purpose |
|---|---|---|
--hook |
none | Run in hook mode: pre-commit or pre-push |
--check |
all | Comma-separated checks to run: secrets,malicious_code,dependencies,lint,format |
--override |
false | Run with the gate disabled; requires --reason |
--reason |
none | Audit reason for override (min 8 chars) |
--dry-run |
false | Validate config + print effective scope; do not invoke scanners |
--output |
pretty | pretty |
Global flags (--config, --repo, --verbose, …) also apply. See the CLI index.
Hook mode vs. working-tree mode¶
--hook pre-commit: scope isgit diff --cached --name-only(staged files).--hook pre-push: scope is the commits being pushed, viagit rev-list <remote>..<local>.- No
--hookflag: scope is the modified working tree - equivalent togit status --porcelainfiltered for tracked files.
Restricting checks¶
lintel run --check lint,format # run only lint and format
lintel run --check secrets # secrets only - useful for targeted debugging
fmt shortcut¶
Because formatters are the fastest check, lintel fmt is a useful quick sanity pass.
Dry-run¶
Prints the fully merged config, the detected stacks, the staged file list, and the scanners that would run, then exits. Useful for debugging config precedence or CI environments.
Examples¶
# Standard local run.
lintel run
# CI run with JSON output for downstream tools.
lintel run --output json | tee lintel-report.json
# Scope to secrets + dependencies.
lintel run --check secrets,dependencies
# Emergency commit with an override + mandatory reason.
lintel run --override --reason "rotating creds, ticket SEC-1234"
Exit codes¶
| Code | Meaning |
|---|---|
| 0 | Gate passed |
| 1 | Gate failed |
| 2 | Config or CLI error |
| 3 | Scanner binary missing or hash mismatch |
| 4 | Scanner crashed or timed out |