Scan from the CLI
Run your first scan from your terminal with Docker. This takes about 5 minutes.
Prerequisites
- Docker installed and running
- At least 2 GB of free RAM
- A Levo account (sign up) — needed for dashboard reporting; optional for local-only scans
1. Pull the image
docker pull levoai/levoai-shadownet:latest
2. Run a scan
The simplest possible scan — a public URL, no authentication, results printed to your terminal:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:latest \
scan https://example.com
The headless Chromium browser inside the container needs at least 1 GB of shared memory. Without this flag, scans crash mid-crawl with opaque errors.
3. Send findings to the Levo dashboard
Get your credentials. Log in and grab your Auth Key (Settings → API Keys), Organization ID, and Environment ID (Environments → copy ID).
Log in once (persists across runs via the volume mount):
docker run --rm -it \
-v $HOME/.config/configstore:/home/levo/.config/configstore:rw \
levoai/levoai-shadownet:latest \
login -k <your-auth-key> -o <your-org-id>
Scan and report findings:
docker run --rm -it --shm-size=1g \
-v $HOME/.config/configstore:/home/levo/.config/configstore:rw \
-v $(pwd)/reports:/app/reports \
levoai/levoai-shadownet:latest \
scan https://example.com \
--send-issues \
--env-id <your-env-id> \
--name "My First CLI Scan"
Open Scans → DAST Scans in the Levo dashboard to see the run.
4. Authenticated scan
For an app that requires login:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:latest \
scan https://app.example.com \
--auth form \
--username you@example.com --password 'secret' \
--login-url https://app.example.com/login
Prefer token auth for APIs:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:latest \
scan https://api.example.com \
--auth token \
--token "Bearer <your-token>"
More options in the Authentication overview.
5. Swap flags for a config file
Once your flag list gets long, move the scan config into levo-dast.yml and commit it to git:
# levo-dast.yml
version: "1"
name: acme-webapp
target:
url: https://app.example.com
auth:
strategy: form
login_url: https://app.example.com/login
username: ${SCAN_USERNAME}
scan:
depth: smart
reporting:
output: sarif
fail_on: high
# Secrets stay in env vars, never in YAML.
SCAN_USERNAME=you@example.com SCAN_PASSWORD='secret' \
docker run --rm -it --shm-size=1g \
-v $(pwd)/levo-dast.yml:/app/levo-dast.yml \
-e SCAN_USERNAME -e SCAN_PASSWORD \
levoai/levoai-shadownet:latest \
scan
Next steps
- Deploy a worker — Docker or Kubernetes for long-running or internal-network scans.
- Automate in CI — CI/CD integration with SARIF output and fail-on thresholds.
- All flags — CLI reference.
- All config keys —
levo-dast.ymlschema.