Scanner CLI

The Arcanon Scanner analyses your codebase to extract service boundaries, endpoints, connections, and schemas — then uploads the results to your Arcanon Hub workspace. It runs entirely on your machine.

Installation

macOS / Linux:

curl -fsSL https://arcanon.dev/install.sh | sh

Windows (PowerShell):

irm https://arcanon.dev/install.ps1 | iex

Verify the installation:

arcanon --version

Quick start

# Set your credentials (from Settings > API Keys in the dashboard)
export ARCANON_API_KEY=arc_your_key_here
export ARCANON_HUB_URL=https://api.arcanon.dev

# Scan and upload
arcanon

# Preview results first
arcanon --dry-run

Options

All options can also be set via environment variables (ARCANON_API_KEY, ARCANON_HUB_URL, ARCANON_PROJECT_SLUG) or in .arcanon.toml.

Configuration

Add .arcanon.toml to your repo root to customise scanner behaviour. Commit this file — it's shared across the team.

[scanner]
project_slug = "my-project"
hub_url = "https://api.arcanon.dev"

[scanner.exclude]
paths = ["vendor/**", "legacy/**"]

Override service names

When the scanner misdetects a service name:

[services."packages/api"]
name = "api-server"

[services."packages/shared"]
ignore = true  # not a service

Declare connections manually

For connections the scanner can't detect (runtime service discovery, sidecar proxies):

[[connections.manual]]
source = "api-server"
target = "auth-proxy"
protocol = "rest"
confidence = "high"

Better results

Install dependencies first

The scanner analyses installed packages to detect custom libraries and internal SDKs. Install dependencies before scanning for the most complete results:

pip install -r requirements.txt   # Python
npm ci                             # Node.js
bundle install                     # Ruby

Go and Rust read lock files directly — no install needed.

What it detects

Endpoints — Express, FastAPI, Django, Flask, Spring Boot, ASP.NET Core, Gin, Axum, Rails routes, plus OpenAPI/proto/GraphQL specs.

Connections — HTTP clients (fetch, axios, requests, httpx), message queues (Kafka, RabbitMQ, NATS), databases (PostgreSQL, MongoDB, Redis), gRPC, and 90+ more libraries across 7 languages.

Services — From Dockerfiles, docker-compose, Kubernetes manifests. In monorepos, each service is detected and source files are attributed automatically.

Custom libraries — If your team has internal SDKs, the scanner traces through wrapper functions to detect connections made by libraries it hasn't seen before.

CI integration

GitHub Actions

name: Arcanon Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install scanner
        run: curl -fsSL https://arcanon.dev/install.sh | sh

      - name: Install dependencies
        run: pip install -r requirements.txt  # or npm ci, bundle install, etc.

      - name: Scan and upload
        env:
          ARCANON_API_KEY: ${{ secrets.ARCANON_API_KEY }}
          ARCANON_HUB_URL: ${{ secrets.ARCANON_HUB_URL }}
        run: arcanon --project-slug my-project

GitLab CI

arcanon-scan:
  stage: test
  script:
    - curl -fsSL https://arcanon.dev/install.sh | sh
    - pip install -r requirements.txt
    - arcanon --project-slug my-project
  variables:
    ARCANON_API_KEY: $ARCANON_API_KEY
    ARCANON_HUB_URL: $ARCANON_HUB_URL

Self-hosted runners

If you use self-hosted runners (Actions Runner Controller, etc.), update the runs-on field:

runs-on: your-runner-set

The scanner auto-detects CI environment variables for branch and commit SHA across GitHub Actions, GitLab CI, and Jenkins.

Troubleshooting

Check the scan log

Every scan saves a debug log:

ls ~/.arcanon/logs/
cat ~/.arcanon/logs/my-repo-*.log

Run with verbose output

arcanon -vvv --dry-run

No services detected

If your repo doesn't have Dockerfiles or docker-compose, the scanner infers a service from the repo name. To name it explicitly:

# .arcanon.toml
[services."."]
name = "my-service"

Exit codes