CLI Options Reference
Commands
| Command | Syntax | Description |
|---|---|---|
setup | csp-analyser setup | Install Playwright Chromium browser and verify system dependencies |
crawl | csp-analyser crawl <url> | Headless auto-crawl with violation capture |
interactive | csp-analyser interactive <url> | Headed manual browsing with violation capture |
generate | csp-analyser generate [session-id] | Regenerate policy from an existing session |
export | csp-analyser export [session-id] | Export policy in a deployment-ready format |
diff | csp-analyser diff <id-a> <id-b> | Compare policies from two sessions |
score | csp-analyser score [session-id] | Score policy against best practices |
permissions | csp-analyser permissions [session-id] | Show captured Permissions-Policy headers |
sessions | csp-analyser sessions | List analysis sessions for the current project |
start | csp-analyser start | Run the MCP server over stdio (for AI agents) |
audit | csp-analyser audit <url> | Audit existing CSP: diff + updated policy for enforced and report-only |
hash-static | csp-analyser hash-static <path>... | Hash inline content in static HTML files (no browser) |
Options
| Flag | Type | Default | Commands | Description |
|---|---|---|---|---|
--depth <n> | integer (0+) | 1 | crawl, audit | Crawl depth. 0 = single page, 1 = target + linked pages, etc. |
--max-pages <n> | integer (1+) | 10 | crawl, audit | Maximum number of pages to visit during crawl |
--strictness <level> | strict | moderate | permissive | moderate | crawl, audit, generate, export, diff, score | Controls how specific source expressions are. See strictness levels. |
--format <fmt> | header | meta | nginx | apache | cloudflare | cloudflare-pages | azure-frontdoor | helmet | json | header | crawl, generate, export | Output format for the generated policy. See export formats. |
--storage-state <path> | string (file path) | -- | crawl, interactive, audit | Path to a Playwright storage state JSON file for authenticated sessions. Must have .json extension. |
--save-storage-state <path> | string (file path) | -- | interactive | Export browser cookies and storage state to a JSON file when the session ends. See authentication guide. |
--violation-limit <n> | integer (0+) | 10000 | crawl, interactive, audit | Maximum violations to accept per session. 0 for unlimited. |
--report-only | boolean | false | crawl, generate, export | Generate Content-Security-Policy-Report-Only instead of Content-Security-Policy |
--project <name> | string | auto-detected | crawl, interactive, audit, generate, export, score, permissions, sessions | Override auto-detected project name. Also settable via CSP_ANALYSER_PROJECT env var. |
--all | boolean | false | sessions | Show sessions from all projects instead of only the current one |
--collapse-hash-threshold <n> | integer (0+) | disabled | crawl, generate, export, score, hash-static | Collapse hashes to 'unsafe-inline' when a directive exceeds this many hashes. Useful for CSS-in-JS apps with thousands of dynamic inline styles. |
--static-site | boolean | false | crawl, generate, export, score | Target is a static site — disables nonce replacement (nonces require a server to generate per-request values). |
--static-profile <profile> | react-expo | -- | crawl, interactive, generate, export, score, hash-static | Static framework profile. react-expo skips nonce replacement, keeps scripts hash-strict, and collapses only excessive style-src-attr hashes to 'unsafe-inline' when the collapse threshold is exceeded. |
--no-color | boolean | false | all | Disable coloured terminal output. Also respects the NO_COLOR environment variable. |
--help, -h | -- | -- | all | Show help text |
--version, -v | -- | -- | all | Show version number |
Output behaviour
- Policy output goes to stdout (pipeable to files or other tools)
- Progress messages and errors go to stderr
- Exit code
0on success,1on error
This means you can pipe policy output directly:
bash
# Save nginx config
csp-analyser crawl https://example.com --format nginx > csp.conf
# Pipe JSON to jq
csp-analyser export --format json | jq '.directives'Environment variables
| Variable | Description |
|---|---|
CSP_ANALYSER_PROJECT | Override auto-detected project name. Equivalent to --project <name> but useful in CI or Docker where the working directory may not have a package.json. The --project flag takes precedence if both are set. |
NO_COLOR | When set (to any value), disables coloured terminal output. Equivalent to --no-color. |
LOG_LEVEL | Set logging verbosity: debug, info, warn, error. Defaults to info. |