> For the complete documentation index, see [llms.txt](https://docs.mobb.ai/mobb-user-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-cli/scan-and-fix-mode.md). # Scan and Fix Mode ## Overview * Uses Mobb's built-in [Opengrep](https://www.opengrep.dev/) scanner to identify vulnerabilities in your repository. **No external SAST tool or pre-generated report required.** * Produces code fixes and redirects the user to the fix report page on the Mobb platform * Also supports a **diff-aware** mode (via `--baseline-commit`) that only reports findings introduced since a given commit. Ideal for pull request scans. {% hint style="info" %} Scan and Fix mode is invoked using the **`analyze`** command with the `-f` (scan-file) parameter **omitted**. When no scan file is provided, Mobb automatically uses its internal Opengrep scanner. {% endhint %} ### Scan and Fix Mode - Usage To check what options are available, run: ``` npx mobbdev@latest analyze --help ``` Here is the output of the help file: ``` mobbdev analyze Provide a code repository, get automated fixes right away. You can also provide a vulnerability report to analyze or have Mobb scan the code for you. Options: -f, --scan-file Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL, Sonarqube, Semgrep, Datadog, Black Duck) [string] -r, --repo Github / GitLab / Azure DevOps repository URL [string] [required] -p, --src-path Path to the repository folder with the source code [string] --ref Reference of the repository (branch, tag, commit) [string] --mobb-project-name Mobb project name [string] [default: "My first project"] -y, --yes Skip prompts and use default values [boolean] --ci Run in CI mode, prompts and browser will not be opened [boolean] [default: false] --org, --organization-id Organization id [string] --api-key Mobb authentication api-key [string] --auto-pr Enable automatic pull requests for new fixes [boolean] [default: false] --create-one-pr Create a single unified PR for all fixes (requires --auto-pr) [boolean] [default: false] --commit-directly Commit directly to the scanned branch instead of creating a pull request [boolean] [default: false] --pull-request, --pr, --pr-number, --pr-id Number of the pull request [number] --polling Use HTTP polling instead of WebSocket for status updates. Useful for proxy environments or firewalls that block WebSocket connections. Polling interval: 5 seconds, timeout: 30 minutes. [boolean] [default: false] --baseline-commit Only report findings introduced since this commit (PR mode). The sha must be reachable from the scanned repository. Effective only when no scan file is provided. [string] --help Show help [boolean] ``` ## Example: Full Repository Scan To scan an entire repository and generate fixes, run the `analyze` command **without** the `-f` flag: ```sh npx mobbdev@latest analyze --repo https://github.com/mobb-dev/simple-vulnerable-java-project --ref main --api-key XXXXXX --ci ``` Notice that there is no `-f` or `--scan-file` parameter. When no scan file is provided, Mobb will: * **Scan** the repository using Mobb's internal Opengrep scanner * **Generate** automated fixes for supported issues along with a fix report ## Diff-Aware Mode (`--baseline-commit`) Scan and Fix also supports a **diff-aware** mode that only reports findings **introduced since a given commit**. This is especially useful in pull request workflows, where you only want to surface (and fix) vulnerabilities that the PR itself adds, not pre-existing issues on the base branch. To enable diff-aware mode, pass the base commit SHA via `--baseline-commit`: ```sh npx mobbdev@latest analyze \ --repo https://github.com/your-org/your-repo \ --ref feature-branch \ --baseline-commit \ --api-key XXXXXX --ci ``` {% hint style="warning" %} The `--baseline-commit` SHA must be reachable from the scanned repository. `--baseline-commit` is effective only when no scan file is provided (i.e. when running in Scan and Fix mode with `-f` or `--scan-file` is omitted). {% endhint %} ## Automatic PR To enable automatic PRs for the fixes Mobb generates, add the `--auto-pr` flag: ```sh npx mobbdev@latest analyze --auto-pr --ci --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY ``` Other related flags: * `--create-one-pr`: Bundle all fixes into a single unified PR (requires `--auto-pr`) * `--commit-directly`: Commit fixes directly to the scanned branch instead of opening a PR * `--pr-number`: Associate the fixes with an existing pull request Click [here](/mobb-user-docs/administration/fix-policy.md#automatic-pr) to learn more about the Automatic PR feature. ## Full Workflow Example: GitHub Actions (Diff-Aware Scan + Auto-PR) The following GitHub Actions workflow runs Mobb's native diff-aware scan on every pull request, then automatically commits fixes back to the PR branch. Because Mobb's CLI now performs the scan natively, there is **no separate SAST step** needed in the pipeline. {% code title=".github/workflows/mobb-scan-and-fix.yml" %} ```yaml name: "Mobb Scan-and-Fix with Auto-PR" on: pull_request_target: branches: - 'main' jobs: scan-and-fix: name: Mobb native diff-aware scan + Auto-PR runs-on: 'ubuntu-latest' timeout-minutes: 360 permissions: pull-requests: write statuses: write contents: read actions: read steps: - name: Checkout repository uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - name: Run Mobb diff-aware scan and fix env: MOBB_API_TOKEN: ${{ secrets.MOBB_API_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | npx mobbdev@latest analyze \ --ci \ --repo "https://github.com/${{ github.repository }}" \ --ref "${{ github.event.pull_request.head.ref }}" \ --baseline-commit "${{ github.event.pull_request.base.sha }}" \ --mobb-project-name "auto-pr-scanandfix" \ --pr-number ${{ github.event.pull_request.number }} \ --auto-pr \ --commit-directly \ --api-key "${MOBB_API_TOKEN}" ``` {% endcode %} Key things to note in this workflow: * `--baseline-commit "${{ github.event.pull_request.base.sha }}"` makes the scan diff-aware. Only findings introduced by the PR are reported and fixed. * `--pr-number` associates the fixes with the originating PR. * `--auto-pr` combined with `--commit-directly` causes Mobb to push fix commits directly to the PR branch. {% hint style="info" %} For Mobb single-tenant environments, you'll also need to set `API_URL`, `WEB_LOGIN_URL`, and `WEB_APP_URL` environment variables. See [Mobb CLI Overview](/mobb-user-docs/getting-started/mobb-cli.md#single-tenants) for details. {% endhint %} ## Benefits of Scan and Fix Mode * **No external scanner required**: No need to run Checkmarx, Snyk, Semgrep, or other SAST tools first * **Streamlined workflow**: One command to scan and fix * **Built-in scanner**: Uses Mobb's optimized Opengrep engine * **Diff-aware**: `--baseline-commit` lets you focus only on newly introduced findings, perfect for PR gating * **Immediate results**: Get fixes without waiting for external scan reports --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mobb.ai/mobb-user-docs/getting-started/mobb-cli/scan-and-fix-mode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.