CLI workflow

Editor signal.
Enforcement aligned.

Iris Code is most useful when the health score you see in the editor is the same score that gates a push or build. The CLI is the bridge — verify locally, automate in hooks, and roll out one shared quality policy without inventing a second CI-only setup.

01

Local verification

Run Iris Code before you push so the same scoring rules fire locally, in hooks, and in CI. One policy, three checkpoints — editor, hook, pipeline.

iris check

Full workspace scan

Score every file in one pass. Iris Code uses the same engine as the editor sidebar — no drift between what you see and what the gate checks.

$iris check .
$iris check path/to/file.ts --verbose
$iris secrets
iris check src/api/users.ts --verbose
src/api/users.ts 43/100 [below threshold: 70] ↳ function exceeds complexity budget L42 function-too-long: exceeds 40 lines L58 console-log: console.log left in source L91 todo: TODO left in source Threshold: 70
iris check

Score a file or the whole workspace. Same engine as the editor sidebar — no drift between what you see and what the gate checks. Single-file scans are free; directory scans require Pro.

iris secrets

Scan for hardcoded API keys, tokens, and passwords across JS/TS/Go/Python. No licence required.

Free
iris security

Scan for eval usage, SQL injection, insecure RNG, weak hashing, and more. No licence required.

Free
02

Hook installation

Install Git and build hooks when the team is ready to block pushes or builds that fall below the agreed threshold. One command, zero boilerplate.

Git hook

Block at the push boundary

The Git hook runs iris check on every push and blocks if any file falls below the configured threshold. Install it once — the hook lives in .git/hooks/ and runs locally for every developer.

$iris hook git install
$iris hook build install
$iris hook git status
git push origin main
Iris Code pre-push hook running… Iris Code — checking . ✓ src/db/queries.ts 91/100 ✓ src/core/scheduler.ts 82/100 ✓ src/auth/session.ts 74/100 ✗ src/api/users.ts 43/100 [below threshold: 70] 4 files checked · 3 passed · 1 failed FAILED Iris Code: Push blocked. Fix failing files or lower your threshold in .irisconfig.json
Push blocked
Git hook

Runs on pre-push. Scans the whole workspace and blocks the push if any file falls below the threshold. Zero config after install.

Free
Build hook

Wires into your build command — npm prebuild for Node, a Makefile target for Go/Python. Fails the build when workspace health drops.

Pro
iris hook status

See which hooks are installed — git and build, in one command. Free.

Free
03

Team rollout

Use one committed .irisconfig.json so editor diagnostics, Gate Preview, and enforcement all speak the same policy. Every developer gets the same rules — no drift between machines.

Shared config

One file.
One policy.

Commit .irisconfig.json to your repo. The editor, hooks, and CI all read from the same source — a threshold change is a one-line diff that the whole team gets on pull.

$iris config init
$iris config validate
$iris gate --format json
.irisconfig.json
{ "presetId": "balanced", "minHealthScore": 70, "gateMaxSecrets": 0, "gateMaxSecuritySmells": 0, "ignoreFiles": [ "dist/**", "**/*.test.ts" ] }
iris config init

Interactively generate .irisconfig.json from a preset (legacy, balanced, or strict). Free — Pro users can also set custom gate limits.

Free
iris config validate

Checks your config for schema errors, unknown keys, and invalid values — before you commit.

Free
iris gate --format json

Full enforcement gate with machine-readable JSON output — pipe into CI reporters, dashboards, or Slack alerts.

Pro
04

Every command

All twelve Iris Code CLI commands in one place. Full flags and exit codes live in the command reference.

iris auth

Sign in via browser or licence token. Stored at ~/.iris/credentials.

Free
iris check

Single-file scan is free. Directory, --staged, and --changed on Pro.

FreePro
iris secrets

Hardcoded credentials, API keys, and tokens. No auth required.

Free
iris security

Eval usage, SQL injection, insecure RNG, weak hashing, and more. No auth required.

Free
iris deps

Audit package.json, go.mod, and requirements.txt for CVEs. Lockfile-aware and monorepo-aware.

Pro
iris cve

Same scan as deps, but exits 1 only at or above a --severity threshold. Built for CI gates.

Pro
iris sbom

Export a CycloneDX 1.5 SBOM across npm, Go, and Python. Fully offline.

Pro
iris todos

Collect every TODO, FIXME, and HACK comment across the codebase.

Pro
iris gate

Full enforcement gate. Exits 1 below threshold. Designed for CI.

Pro
iris report

Export a standalone HTML health report to the current directory.

Free
iris hook

Status check is free. Install/uninstall pre-push and build hooks on Pro.

FreePro
iris config

init generates a config with a preset; validate checks an existing one.

Free

Where to go next

Depending on where your team is, one of these paths gets you to enforcement fastest.

Evaluating Iris Code?

Install the extension first and run a first scan. See which files need attention before touching any config.

Install Iris Code ↗

Ready to enforce?

Jump straight into Git hook and build hook setup so the policy becomes real at the point where code ships.

Hook setup →

Full CLI reference

Every flag, every command, every exit code. The complete reference lives at docs.iriscode.co.

Open docs ↗