Security Scan

The reflex cloud scan command runs a Reflex-aware security review over your app source. It uploads your project to Reflex Cloud, checks it for security and logic flaws, and reports findings by severity.

A scan requires authentication. Run reflex login first if you are not already logged in.

From the root of your app, run:

This scans the current directory. Pass a path to scan elsewhere:

The command zips your app source, skipping dependency and build directories (.web, node_modules, .venv, __pycache__, and similar), submits it for review, and waits for the results.

Findings are printed sorted by severity:

• CRITICAL: fix immediately.
• HIGH: serious; fix soon.
• MEDIUM: should be addressed.
• LOW: minor issues and recommendations.

Each finding shows the rule that triggered, its category, the file and line, and a description. A recommended fix is included when available. If nothing is found, the command reports a clean review.

--fail-on makes the command exit non-zero when a finding at or above the given severity is present:

The default is low, so any finding causes a non-zero exit. Pass --fail-on none to always exit 0.

--json (or -j) prints the raw result as JSON instead of formatted output:

--fail-on sets the exit code, so a scan can block a merge or deploy when issues are found. Pass a token with --token and add --no-interactive so the command never prompts.

Create a REFLEX_AUTH_TOKEN in the tokens tab of the Cloud UI (see the tokens docs) and store it as a repository secret.

This GitHub Actions workflow fails the build on any high or critical finding:

See the CLI reference for the full list of options.