Scan and Fix Mode

Overview

Uses Mobb's built-in Opengrep scanner to identify vulnerabilities in your repository. No external SAST tool or pre-generated report required.
Produces code fixes and redirects the user to the fix report page on the Mobb platform
Also supports a diff-aware mode (via --baseline-commit) that only reports findings introduced since a given commit. Ideal for pull request scans.

Scan and Fix mode is invoked using the analyze command with the -f (scan-file) parameter omitted. When no scan file is provided, Mobb automatically uses its internal Opengrep scanner.

Scan and Fix Mode - Usage

To check what options are available, run:

npx mobbdev@latest analyze --help

Here is the output of the help file:

mobbdev analyze

Provide a code repository, get automated fixes right away. You can also provide a vulnerability report to analyze or
have Mobb scan the code for you.

Options:
  -f, --scan-file                                 Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify,
                                                  CodeQL, Sonarqube, Semgrep, Datadog, Black Duck)                [string]
  -r, --repo                                      Github / GitLab / Azure DevOps repository URL      [string] [required]
  -p, --src-path                                  Path to the repository folder with the source code             [string]
      --ref                                       Reference of the repository (branch, tag, commit)              [string]
      --mobb-project-name                         Mobb project name               [string] [default: "My first project"]
  -y, --yes                                       Skip prompts and use default values                           [boolean]
      --ci                                        Run in CI mode, prompts and browser will not be opened
                                                                                              [boolean] [default: false]
      --org, --organization-id                    Organization id                                                [string]
      --api-key                                   Mobb authentication api-key                                    [string]
      --auto-pr                                   Enable automatic pull requests for new fixes [boolean] [default: false]
      --create-one-pr                             Create a single unified PR for all fixes (requires --auto-pr)
                                                                                              [boolean] [default: false]
      --commit-directly                           Commit directly to the scanned branch instead of creating a pull
                                                  request                                     [boolean] [default: false]
      --pull-request, --pr, --pr-number, --pr-id  Number of the pull request                                     [number]
      --polling                                   Use HTTP polling instead of WebSocket for status updates. Useful for
                                                  proxy environments or firewalls that block WebSocket connections.
                                                  Polling interval: 5 seconds, timeout: 30 minutes.
                                                                                              [boolean] [default: false]
      --baseline-commit                           Only report findings introduced since this commit (PR mode). The sha
                                                  must be reachable from the scanned repository. Effective only when no
                                                  scan file is provided.
                                                                                                                 [string]
      --help                                      Show help                                                     [boolean]

Example: Full Repository Scan

To scan an entire repository and generate fixes, run the analyze command without the -f flag:

npx mobbdev@latest analyze --repo https://github.com/mobb-dev/simple-vulnerable-java-project --ref main --api-key XXXXXX --ci

Notice that there is no -f or --scan-file parameter. When no scan file is provided, Mobb will:

Scan the repository using Mobb's internal Opengrep scanner
Generate automated fixes for supported issues along with a fix report

Diff-Aware Mode (`--baseline-commit`)

Scan and Fix also supports a diff-aware mode that only reports findings introduced since a given commit. This is especially useful in pull request workflows, where you only want to surface (and fix) vulnerabilities that the PR itself adds, not pre-existing issues on the base branch.

To enable diff-aware mode, pass the base commit SHA via --baseline-commit:

npx mobbdev@latest analyze \
  --repo https://github.com/your-org/your-repo \
  --ref feature-branch \
  --baseline-commit <base-sha> \
  --api-key XXXXXX --ci

The --baseline-commit SHA must be reachable from the scanned repository. --baseline-commit is effective only when no scan file is provided (i.e. when running in Scan and Fix mode with -f or --scan-file is omitted).

Automatic PR

To enable automatic PRs for the fixes Mobb generates, add the --auto-pr flag:

npx mobbdev@latest analyze --auto-pr --ci --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY

Other related flags:

--create-one-pr: Bundle all fixes into a single unified PR (requires --auto-pr)
--commit-directly: Commit fixes directly to the scanned branch instead of opening a PR
--pr-number: Associate the fixes with an existing pull request

Click here to learn more about the Automatic PR feature.

Full Workflow Example: GitHub Actions (Diff-Aware Scan + Auto-PR)

The following GitHub Actions workflow runs Mobb's native diff-aware scan on every pull request, then automatically commits fixes back to the PR branch. Because Mobb's CLI now performs the scan natively, there is no separate SAST step needed in the pipeline.

.github/workflows/mobb-scan-and-fix.yml

name: "Mobb Scan-and-Fix with Auto-PR"

on:
  pull_request_target:
    branches:
      - 'main'

jobs:
  scan-and-fix:
    name: Mobb native diff-aware scan + Auto-PR
    runs-on: 'ubuntu-latest'
    timeout-minutes: 360
    permissions:
      pull-requests: write
      statuses: write
      contents: read
      actions: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Run Mobb diff-aware scan and fix
        env:
          MOBB_API_TOKEN: ${{ secrets.MOBB_API_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          npx mobbdev@latest analyze \
            --ci \
            --repo "https://github.com/${{ github.repository }}" \
            --ref "${{ github.event.pull_request.head.ref }}" \
            --baseline-commit "${{ github.event.pull_request.base.sha }}" \
            --mobb-project-name "auto-pr-scanandfix" \
            --pr-number ${{ github.event.pull_request.number }} \
            --auto-pr \
            --commit-directly \
            --api-key "${MOBB_API_TOKEN}"

Key things to note in this workflow:

--baseline-commit "${{ github.event.pull_request.base.sha }}" makes the scan diff-aware. Only findings introduced by the PR are reported and fixed.
--pr-number associates the fixes with the originating PR.
--auto-pr combined with --commit-directly causes Mobb to push fix commits directly to the PR branch.

For Mobb single-tenant environments, you'll also need to set API_URL, WEB_LOGIN_URL, and WEB_APP_URL environment variables. See Mobb CLI Overview for details.

Benefits of Scan and Fix Mode

No external scanner required: No need to run Checkmarx, Snyk, Semgrep, or other SAST tools first
Streamlined workflow: One command to scan and fix
Built-in scanner: Uses Mobb's optimized Opengrep engine
Diff-aware: --baseline-commit lets you focus only on newly introduced findings, perfect for PR gating
Immediate results: Get fixes without waiting for external scan reports

PreviousMobb CLI Overview NextAnalyze Mode

Last updated 11 days ago

Overview

Scan and Fix Mode - Usage

Example: Full Repository Scan

Diff-Aware Mode (--baseline-commit)

Automatic PR

Full Workflow Example: GitHub Actions (Diff-Aware Scan + Auto-PR)

Benefits of Scan and Fix Mode

Diff-Aware Mode (`--baseline-commit`)