Skip to main content
The PromptGuard CLI scans your codebase locally to detect unprotected LLM SDK calls before you push to Git. It supports Python, JavaScript, and TypeScript projects.

Installation

macOS (Homebrew)

brew tap promptguard/tap
brew install promptguard

Linux / macOS (Binary)

curl -fsSL https://get.promptguard.co/cli | bash

Cargo (Rust)

cargo install promptguard-cli

Verify Installation

promptguard --version
# promptguard-cli 1.1.1

Quick Start

Scan Your Project

cd your-project
promptguard scan
Output: 
🔍 Scanning your-project...

Found 3 unprotected LLM calls:

  ❌ src/api/chat.py:45
     openai.chat.completions.create()
     Provider: OpenAI

  ❌ src/agents/helper.ts:23
     anthropic.messages.create()
     Provider: Anthropic

  ❌ lib/utils.py:89
     client.chat.completions.create()
     Provider: OpenAI

Summary:
  Total LLM calls: 12
  Protected: 9 (75%)
  Unprotected: 3 (25%)

Run `promptguard init` to add protection.

Initialize Protection

promptguard init
This interactively:
  1. Detects which LLM providers you use
  2. Installs the PromptGuard SDK
  3. Adds promptguard.init() to your entry point
  4. Shows you what changed

Commands

promptguard scan

Scan for unprotected LLM SDK calls. 
promptguard scan [path] [options]
OptionDescription
--format <fmt>Output format: pretty (default), json, sarif
--severity <level>Minimum severity: low, medium, high
--include <glob>Only scan matching files
--exclude <glob>Skip matching files
--ciCI mode: exit code 1 if issues found
Examples: 
# Scan specific directory
promptguard scan ./src

# JSON output for CI pipelines
promptguard scan --format json

# SARIF for GitHub Code Scanning
promptguard scan --format sarif > results.sarif

# Only high severity
promptguard scan --severity high

# Exclude tests
promptguard scan --exclude "**/*test*"

promptguard init

Initialize PromptGuard SDK in your project. 
promptguard init [options]
OptionDescription
--api-key <key>PromptGuard API key (or use env var)
--mode <mode>enforce (default) or monitor
--dry-runShow what would change without modifying files
--provider <name>Only configure specific provider
Examples: 
# Interactive setup
promptguard init

# Non-interactive with API key
promptguard init --api-key pg_xxx

# See what would change
promptguard init --dry-run

# Monitor mode (log only, don't block)
promptguard init --mode monitor

promptguard check

Check if protection is properly configured. 
promptguard check
Output: 
✅ PromptGuard SDK installed (v1.2.0)
✅ promptguard.init() found in src/main.py
✅ PROMPTGUARD_API_KEY environment variable set
✅ All 12 LLM calls are protected

Your project is protected!

promptguard fix

Auto-fix unprotected calls by adding SDK initialization. 
promptguard fix [options]
OptionDescription
--dry-runShow diff without applying
--file <path>Fix specific file only
Examples: 
# Preview fixes
promptguard fix --dry-run

# Apply fixes
promptguard fix

# Fix single file
promptguard fix --file src/api/chat.py

promptguard providers

List detected LLM providers in your codebase. 
promptguard providers
Output: 
Detected LLM Providers:

  OpenAI          8 calls   src/api/*.py
  Anthropic       3 calls   src/agents/*.ts
  AWS Bedrock     1 call    lib/bedrock.py

Total: 3 providers, 12 calls

Supported Providers

ProviderPythonJavaScript/TypeScript
OpenAI
Anthropic
Google AI
Cohere
AWS Bedrock
Azure OpenAI
Mistral
Groq

Configuration

.promptguardrc

Create a config file in your project root: 
# .promptguardrc
scan:
  include:
    - "src/**/*.py"
    - "src/**/*.ts"
  exclude:
    - "**/*test*"
    - "**/node_modules/**"
    - "**/__pycache__/**"

init:
  mode: enforce
  entry_point: src/main.py

providers:
  - openai
  - anthropic

Environment Variables

VariableDescription
PROMPTGUARD_API_KEYAPI key for init command
PROMPTGUARD_LOG_LEVELdebug, info, warn, error
NO_COLORDisable colored output

CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install PromptGuard CLI
        run: curl -fsSL https://get.promptguard.co/cli | bash

      - name: Scan for unprotected LLM calls
        run: promptguard scan --ci --format sarif > results.sarif

      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI

security-scan:
  image: rust:latest
  script:
    - cargo install promptguard-cli
    - promptguard scan --ci
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: promptguard
        name: PromptGuard Security Scan
        entry: promptguard scan --ci
        language: system
        pass_filenames: false

Output Formats

Pretty (Default)

Human-readable colored output for terminal use.

JSON

promptguard scan --format json

{
  "summary": {
    "total_calls": 12,
    "protected": 9,
    "unprotected": 3
  },
  "findings": [
    {
      "file": "src/api/chat.py",
      "line": 45,
      "provider": "openai",
      "call": "chat.completions.create",
      "protected": false,
      "severity": "high"
    }
  ]
}

SARIF

GitHub Code Scanning compatible format: 
promptguard scan --format sarif > results.sarif
Upload to GitHub: 
gh api repos/{owner}/{repo}/code-scanning/sarifs \
  -X POST \
  -F sarif=@results.sarif

Troubleshooting

Solution: Add to PATH
# macOS/Linux
export PATH="$HOME/.cargo/bin:$PATH"

# Or reinstall with Homebrew
brew reinstall promptguard
Check:
  • Are you in the right directory?
  • Are the files in the include patterns?
  • Try: promptguard scan --include "**/*.py"
The CLI uses AST parsing, not regex. If you see false positives:

Next Steps

GitHub Scanner

Automated scanning in CI

VS Code Extension

See findings in your editor

Python SDK

Runtime protection

Node.js SDK

JavaScript protection