CLI Reference
Ravenscan exposes a single binary with several subcommands.
Commands
| Command | Description |
|---|---|
ravenscan serve | Start the HTTP server + web UI + REST API |
ravenscan scan <targets> | Run a CLI scan, export to file |
ravenscan diff | Compare two scans |
ravenscan baseline | Manage baselines (Enterprise) |
ravenscan trend <target> | Score trend over N days |
ravenscan version | Version and build info |
ravenscan serve
Start the web server (UI + API).
Usage
ravenscan serve [--listen :8080] [--api-key KEY] [--config-dir PATH]| Flag | Default | Description |
|---|---|---|
--listen | :8080 | Listen address |
--api-key | — | Enable Bearer auth for the API |
--config-dir | ~/.ravenscan | Config and cache directory |
--db | <config-dir>/ravenscan.db | SQLite path |
--api-rate-limit | 60 | Scans per hour per API key |
ravenscan scan
Run a scan in CLI mode with direct file export.
Examples
# Basic scan
ravenscan scan 192.168.1.0/24
# Web scan with PDF output
ravenscan scan example.com --web-scan --web-scan-level 2 -o audit.pdf
# Stealth profile
ravenscan scan dmz.acme.com --profile stealth --output dmz.html
# Custom ports with evidence collection
ravenscan scan srv01.prod --ports 1-10000 --collect-evidence -o prod.jsonTargeting flags
--targets-file <file> | Target list (one per line) |
--exclude <CIDR> | IPs to exclude (repeatable) |
--skip-discovery | Skip host discovery |
Scan flags
| Flag | Default | Description |
|---|---|---|
--profile | standard | quick, standard, full, stealth, compliance |
--ports | — | Override: 22,80,443 or 1-1024 |
--top-ports | 1000 | Top ports to scan |
--rate-limit | 100 | Max connections/sec |
--privileged | false | Enable SYN scan, ARP, precise OS fingerprinting |
Audit flags
--check-defaults | Default credentials (opt-in) |
--check-paths | Directory brute-force |
--web-scan | SQLi, XSS, directory discovery |
--web-scan-level <1|2|3> | Web scan intensity |
--collect-evidence | Collect banners, certs, responses |
--templates-dir <dir> | Custom YAML templates directory |
Output flags
-o, --output <file> | Output file (format inferred from extension) |
--format | html, json, jsonl, pdf, md, txt |
-v, --verbose | Verbose (repeatable: -vv, -vvv) |
ravenscan diff
Compare two scans to see new, resolved and unchanged findings.
Examples
# Last two scans in DB
ravenscan diff --last 2 --db ./ravenscan.db
# Between explicit IDs
ravenscan diff --from scan-111 --to scan-222
# Between JSON files
ravenscan diff --from old.json --to new.jsonravenscan baseline (Enterprise)
Baseline management
# Create from a scan
ravenscan baseline create --from-scan report.json --name "prod-Q1-2026"
# List baselines
ravenscan baseline list
# Apply to next scan
ravenscan scan 10.0.0.0/24 --baseline prod-Q1-2026ravenscan trend
Score trend
ravenscan trend 192.168.1.10 --days 30 --db ./ravenscan.db
# Target: 192.168.1.10
# Period: 2026-03-14 -> 2026-04-13 (30 days)
# Score: 72 -> 78 (+6, improving)
# New findings: 0 | Resolved: 3Exit codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Missing / invalid licence |
| 3 | Target unreachable |
| 4 | Invalid config / flag |
| 5 | Critical findings detected (with --fail-on critical) |
CI/CD integration: ravenscan scan staging.acme.com --fail-on high exits 5 if any High finding is detected.
Configuration file
All flags can be set in a YAML file:
ravenscan.yaml
# ravenscan.yaml
profile: standard
targets:
- 192.168.1.0/24
- web-*.prod.internal
exclude:
- 192.168.1.1
ports: "22,80,443,3389"
rate_limit: 100
web_scan: true
web_scan_level: 2
collect_evidence: true
output: audit.pdf
baseline: prod-Q1-2026
db: /var/lib/ravenscan/ravenscan.db Usage
ravenscan scan --config ./ravenscan.yaml