# Global install (recommended)
npm install -g @funkymed/basile
basile doctor
# One-off run without install
npx @funkymed/basile doctorbasile init # generates cookbook.yaml
basile setup --recipe cookbook.yaml # installs missing tools
basile scan --recipe cookbook.yaml # preflight + scan + report| Command | Role |
|---|---|
basile doctor |
Environment status (Node, Docker, package managers) + scanner availability |
basile list-scanners |
Lists known scanners grouped by category |
basile init |
Generates a starter cookbook.yaml |
basile setup |
Installs missing tools (batched per PM, Docker pulls in parallel) |
basile scan |
Runs a scan (recipe or ad-hoc) |
basile report |
Re-renders a previous run as MD/PDF without re-scanning |
Code target:
basile scan --target ./apps/api --stacks php,symfony --scanners phpstan,bearerURL target:
basile scan --url https://example.com --scanners lighthouse,headers,zap-baselineSee docs/examples/code-php-scan.md, docs/examples/code-typescript-scan.md, docs/examples/url-quick-scan.md.
basile scan --recipe cookbook.yaml
basile scan --recipe cookbook.yaml --auto-install # install missing tools at preflight
basile scan --recipe cookbook.yaml --skip-preflight # bypass tool checkSee docs/examples/multistack-cookbook.md.
basile scan --target . --scanners gitleaks
basile scan --url https://example.com --scanners lighthouseSee docs/examples/single-scanner.md.
| Stack | Scanners |
|---|---|
| PHP / Symfony | phpstan, phpcs, composer-audit, semgrep, bearer, gitleaks, trivy, cloc |
| WordPress | wpscan, gitleaks, trivy |
| TypeScript / React | eslint, tsc, knip, madge, semgrep, bearer, gitleaks, trivy, cloc |
| Node.js | eslint, tsc, depcheck, npm-audit, semgrep, bearer, gitleaks, trivy |
| Production URL | lighthouse, pa11y, zap-baseline, nuclei, headers, ssllabs-scan, testssl |
| Multi / cross-cutting | semgrep, bearer, gitleaks, trivy, cloc |
Detailed catalog (role, options): docs/scanners.md.
| Mode | Scanners |
|---|---|
| Local (system binary) | eslint, tsc, knip, depcheck, npm-audit, madge, semgrep, bearer, gitleaks, cloc, lighthouse, pa11y, headers, ssllabs-scan, testssl |
| Docker (auto-pulled image) | phpstan, phpcs, composer-audit, wpscan, zap-baseline |
Hybrid (execHybrid: local then Docker fallback) |
trivy, nuclei |
basile doctor reports in real time what's available locally vs through Docker.
Minimal example:
name: audit-client-x
output: ./reports/{{date}}-{{name}}
parallel: 4
targets:
- id: api
type: code
path: ./apps/api
stacks: [php, symfony]
scanners: [phpstan, phpcs, composer-audit, semgrep, bearer]
- id: prod
type: url
url: https://app.client.fr
scanners: [lighthouse, pa11y, zap-baseline, headers, ssllabs-scan]
report:
formats: [md, pdf]
template: executive # executive | technical | security
group_by: [target, severity]
min_severity: lowFull annotated cookbook: docs/examples/multistack-cookbook.md.
Missing tools grouped by package manager (1 brew install A B C, 1 npm i -g X Y Z, parallel Docker pulls).
basile setup --stack url --yes # everything for URL audit
basile setup --stack php,symfony # PHP + Symfony
basile setup --category dast --yes # all DAST tools
basile setup --all --yes # entire registry
basile setup --recipe cookbook.yaml # only what recipe needs
basile setup --all --docker-concurrency 5 # cap docker parallelismFilters: --stack (php, symfony, wordpress, typescript, react, nodejs, url) | --category (security, quality, performance, a11y, deps, secrets, privacy, sast, dast, lint).
reports/<run>/
├── raw/*.json # raw output per scanner
├── findings.ndjson # normalized findings
├── meta.json # run metadata
├── report.md # Markdown report
└── report.pdf # if pdf in report.formats
Re-render without re-scanning:
basile report --from reports/2026-05-06-audit-client-x --pdf
basile report --from reports/<run> --template technicalUI modes (--ui): pretty (TTY), plain (CI), json (NDJSON pipe), quiet.
- Scanner catalog:
docs/scanners.md - Examples:
docs/examples/ - Architecture & contributing:
CONTRIBUTING.md - Build & npm release:
docs/internal/release.md