Entry Point
In the interactive TUI, run:Scan Levels
Qoder CLI divides security scanning into three levels. You can enable or disable each level independently.L1 Static Check
L1 applies to code generated in the current task. It uses high-risk pattern matching to quickly catch common issues such as dangerous function calls, obvious sensitive data leak patterns, and other risks that often appear in generated code. L1 Static Check is a free baseline check. We recommend keeping it enabled by default so Qoder can quickly catch high-risk code patterns during the current task.L2 Lightweight Scan
L2 applies to incremental code changes. It understands code semantics more deeply to identify risks such as SQL injection, remote command execution, and sensitive data leaks. Enable L2 when you want deeper security feedback during everyday coding.L3 Deep Scan
L3 performs deeper analysis on incremental code changes. It traces data flows across files and functions to uncover hidden vulnerabilities that may not be visible from a single-file view. L3 is best used after commits are ready and before review, push, PR, release, or deployment handoff. If only working-tree changes exist, it may fall back to L2.Configure Scan Levels
After opening/security-settings, use the arrow keys to move between scan levels, and press Enter or Space to toggle a level. Press q or Esc to close the panel.
Each item in the panel shows its current state:
onmeans the level is enabled.offmeans the level is disabled.defaultmeans the default value is being used.savedmeans the value has been written to user settings.
Use the Settings File
You can also configure security scanning in your user-levelsettings.json. The settings live under securityScan:
true. To disable a level, set the corresponding field to false:
How Automatic Scanning Works
When security scanning is enabled, Qoder CLI loads the built-in security capability according to your configuration and decides which checks to activate. When L1 is enabled, Qoder CLI triggers static checks after relevant tool calls. When L1 is disabled, this automatic check is not loaded. As long as at least one of L1, L2, or L3 is enabled, Qoder CLI keeps the unified security scan capability available. If all three levels are disabled, security scan capabilities are not loaded.Manual Security Scan
In addition to automatic scan settings, Qoder CLI provides a manual security scan Skill:- Project/file scan: scans the whole repository or exact files and directories that you specify.
- L2 lightweight review: reviews current working-tree changes.
- L3 deep review: reviews unreviewed committed changes before push, PR, release, deployment, or other handoff workflows.
/security-scan opens a picker with L3 deep scan, L2 lightweight scan, and Project/file scan. If you select Project/file scan without a scope, Qoder CLI asks whether to scan the whole repository or specific files and directories.
You can also include the mode or scope directly:
/security-settings; implicit L3 handoff checks stay silent when L3 is disabled.
When to Use It
Security scanning is useful in scenarios such as:- Qoder CLI generated or modified security-sensitive code, such as authentication, payment, data export, file upload, or command execution logic.
- You want to quickly check whether the current changes introduced high-risk issues before committing or handing off code.
- You want security-focused feedback before a code review.
- You are using automated modes and want to keep a continuous safety check enabled.
Notes
Security scanning focuses on the current task and incremental changes. Project/file scan can scan the whole repository or selected paths, but it is still not a complete security audit and does not guarantee that every vulnerability will be found. Results depend on the current code context, accessible files, and enabled scan levels. For critical business code, combine it with human security review, tests, dependency scanning, and your organization’s security process. If security scanning does not behave as expected, check the following:- The relevant scan level is
onin/security-settings. - Your user-level
settings.jsondoes not explicitly disable fields undersecurityScan. - If you edited the settings file manually, the JSON is valid and saved to user-level settings.
- The current task produced new or modified code that can be scanned.
Related Docs
- Permissions: Learn about tool approval, permission modes, and allow/deny rules.
- Hooks: Learn how Qoder CLI runs automation during tool calls and session lifecycle events.
- Skills: Learn how Skills extend Qoder CLI with specialized capabilities.