Quick CLI Reference Guide
Here you'll find common scenarios of scanner configuration sets. The CLI arguments help tune the scope and performance of the scan, for example, depending on the size of your environment, a full organization scan might take hours - so you may consider scoping the scan on a per project basis.
| Goal | Flags |
|---|---|
| Limit scope to projects | --projects "ProjA,ProjB" |
| Scan default branch only | --top-branches-to-scan 0 |
| Scan all branches | --top-branches-to-scan -1 |
| Skip committer analysis | --skip-committer-stats |
| Skip artifact feeds | --skip-feeds |
| Skip builds and pipelines | --skip-builds |
| Skip SAST scanning | --skip-sast |
| Save results elsewhere | --results-dir <path> |
Example Scan Scenarios
Quick Scan
./observes-scanner \
--organization my-org \
--job-id quick-scan \
--top-branches-to-scan 0 \
--skip-committer-stats \
--skip-feeds \
--skip-sast
Scan Specific Projects
./observes-scanner \
--organization my-org \
--job-id targeted-scan \
--projects "Payments,Platform,SharedServices"
Standard Organization Scan
./observes-scanner \
--organization my-org \
--job-id standard-scan
Security Review
./observes-scanner \
--organization my-org \
--job-id security-review \
--top-branches-to-scan -1 \
Repository Discovery / Inventory
./observes-scanner \
--organization my-org \
--job-id inventory \
--skip-builds \
--skip-sast
Large Enterprise Scan
./observes-scanner \
--organization enterprise-org \
--job-id enterprise-audit \
--top-branches-to-scan 20 \
--results-dir ./audit-results
CI/CD Pipeline Scan
./observes-scanner \
--organization my-org \
--job-id "${BUILD_ID}" \
--auth-mode service-principal \
--results-dir ./artifacts
Authentication
The scanner supports multiple authentication methods via --auth-mode:
| Mode | Flag | Description |
|---|---|---|
| Default (recommended) | --auth-mode default |
Auto-detects credentials via DefaultAzureCredential. Tries env vars, workload identity, managed identity, and Azure CLI session in order. Best for pipelines using AzureCLI@2 with a service connection. |
| PAT | --auth-mode pat -p <TOKEN> |
Personal Access Token (Basic auth). Can also be set via AZURE_DEVOPS_PAT env var. Best for local/quick testing. |
| Service Principal | --auth-mode service-principal |
Microsoft Entra app registration (Bearer token). Requires --tenant-id, --client-id, and --client-secret or --client-certificate-path. |
| Managed Identity | --auth-mode managed-identity |
Azure-managed identity (Bearer token). Requires running on Azure compute. Use --client-id for user-assigned identities. |
PAT
./observes-scanner \
--organization my-org \
--job-id scan-001 \
--pat-token "$AZURE_DEVOPS_PAT"
PAT via Environment Variable
export AZURE_DEVOPS_PAT="<your-pat>"
./observes-scanner \
--organization my-org \
--job-id scan-001
Service Principal
./observes-scanner \
--organization my-org \
--job-id scan-001 \
--auth-mode service-principal
Managed Identity
./observes-scanner \
--organization my-org \
--job-id scan-001 \
--auth-mode managed-identity