Skip to main content
Qoder CLI includes built-in security scanning to help identify high-risk issues while code is generated and changed. It adds a continuous security check to everyday development, helping you catch dangerous function calls, injection risks, sensitive data leaks, and data-flow issues earlier. Security scanning is not a replacement for a full security audit. It focuses on code generated in the current task and incremental code changes, helping you find actionable issues before you commit.

Entry Point

In the interactive TUI, run:
This opens the security scan settings panel. You can view and toggle each scan level from this panel. Security scanning is enabled by default. Settings are saved to your user configuration and control which scan levels are active. L1 Static Check is free; L2 Lightweight Scan and L3 Deep Scan may consume Credits, depending on in-product prompts and your account’s billing rules.

Scan Levels

Qoder CLI divides security scanning into three levels. You can enable or disable each level independently.

L1 Static Check

L1 applies to code generated in the current task. It uses high-risk pattern matching to quickly catch common issues such as dangerous function calls, obvious sensitive data leak patterns, and other risks that often appear in generated code. L1 Static Check is a free baseline check. We recommend keeping it enabled by default so Qoder can quickly catch high-risk code patterns during the current task.

L2 Lightweight Scan

L2 applies to incremental code changes. It understands code semantics more deeply to identify risks such as SQL injection, remote command execution, and sensitive data leaks. Enable L2 when you want deeper security feedback during everyday coding.

L3 Deep Scan

L3 performs deeper analysis on incremental code changes. It traces data flows across files and functions to uncover hidden vulnerabilities that may not be visible from a single-file view. L3 is best used after commits are ready and before review, push, PR, release, or deployment handoff. If only working-tree changes exist, it may fall back to L2.

Configure Scan Levels

After opening /security-settings, use the arrow keys to move between scan levels, and press Enter or Space to toggle a level. Press q or Esc to close the panel. Each item in the panel shows its current state:
  • on means the level is enabled.
  • off means the level is disabled.
  • default means the default value is being used.
  • saved means the value has been written to user settings.
The settings panel writes only to user-level settings. It does not modify project-level settings.

Use the Settings File

You can also configure security scanning in your user-level settings.json. The settings live under securityScan:
All three options default to true. To disable a level, set the corresponding field to false:

How Automatic Scanning Works

When security scanning is enabled, Qoder CLI loads the built-in security capability according to your configuration and decides which checks to activate. When L1 is enabled, Qoder CLI triggers static checks after relevant tool calls. When L1 is disabled, this automatic check is not loaded. As long as at least one of L1, L2, or L3 is enabled, Qoder CLI keeps the unified security scan capability available. If all three levels are disabled, security scan capabilities are not loaded.

Manual Security Scan

In addition to automatic scan settings, Qoder CLI provides a manual security scan Skill:
The command routes security intent to one of three workflows:
  • Project/file scan: scans the whole repository or exact files and directories that you specify.
  • L2 lightweight review: reviews current working-tree changes.
  • L3 deep review: reviews unreviewed committed changes before push, PR, release, deployment, or other handoff workflows.
A bare /security-scan opens a picker with L3 deep scan, L2 lightweight scan, and Project/file scan. If you select Project/file scan without a scope, Qoder CLI asks whether to scan the whole repository or specific files and directories. You can also include the mode or scope directly:
Project/file scans are available when any security scan level is enabled. L2 and L3 follow their own settings switches. If an explicit L2 or L3 request is disabled, Qoder CLI tells you to enable it in /security-settings; implicit L3 handoff checks stay silent when L3 is disabled.

When to Use It

Security scanning is useful in scenarios such as:
  • Qoder CLI generated or modified security-sensitive code, such as authentication, payment, data export, file upload, or command execution logic.
  • You want to quickly check whether the current changes introduced high-risk issues before committing or handing off code.
  • You want security-focused feedback before a code review.
  • You are using automated modes and want to keep a continuous safety check enabled.

Notes

Security scanning focuses on the current task and incremental changes. Project/file scan can scan the whole repository or selected paths, but it is still not a complete security audit and does not guarantee that every vulnerability will be found. Results depend on the current code context, accessible files, and enabled scan levels. For critical business code, combine it with human security review, tests, dependency scanning, and your organization’s security process. If security scanning does not behave as expected, check the following:
  • The relevant scan level is on in /security-settings.
  • Your user-level settings.json does not explicitly disable fields under securityScan.
  • If you edited the settings file manually, the JSON is valid and saved to user-level settings.
  • The current task produced new or modified code that can be scanned.
  • Permissions: Learn about tool approval, permission modes, and allow/deny rules.
  • Hooks: Learn how Qoder CLI runs automation during tool calls and session lifecycle events.
  • Skills: Learn how Skills extend Qoder CLI with specialized capabilities.