Core documentation content is fully readable without JavaScript. The table of contents, assistant, and some copy buttons enhance the experience but are not required.

Installation

Supply Pulse commands

Copy-paste reference for zephex supply — targets, flags, URL vs repo scans, and session helpers.

Guide: Supply Pulse overview · API key

Aliases

Natural language and short forms route to the same command:

zephex supplyzephex supzephex chain# "secrets" alone → secrets-focused supply scan

Targets

Target	What runs
`(default)` or `.`	Full repo scan in current directory
`https://…` or `example.com`	Live URL — download public JS bundles, secrets, source maps
`.` `+` `https://…`	Repo scan + live URL + cross-reference
`github:owner/repo`	Shallow public clone, then repo scan

zephex supplyzephex supply ./backendzephex supply https://staging.example.comzephex supply myapp.comzephex supply . + https://myapp.comzephex supply github:acme/web-app

URL scan flags

# Default URL scan — bundles + secrets + source mapszephex supply https://app.example.com # Secrets in bundles only (faster)zephex supply https://app.example.com --only secrets # Skip retire.js library CVE passzephex supply https://app.example.com --bundle-only # Hide informational noisezephex supply https://app.example.com --severity high

Repo scan flags

# Balanced defaultzephex supply # Single phasezephex supply --only secretszephex supply --only depszephex supply --env-onlyzephex supply --gha-onlyzephex supply --rls-only # CVE reachability (fewer false positives)zephex supply --only deps --reachability # Include devDependencies in CVE scanzephex supply --only deps --include-dev # CI exit code on critical or verified secretszephex supply --only secrets --strict

Output & session

# Machine-readable full resultzephex supply --json # Minimal terminal noisezephex supply -q # Re-print last scan (local cache, ~30m)zephex supply last # Follow-up question on cached scanzephex supply --why "which findings are false positives?"zephex supply --why "explain the Supabase JWT" --refresh # Cloud history (needs API key)zephex supply history

--strict exits with code 1 when critical findings or verified secrets are present — useful in CI.

All flags

Flag	Purpose
`--json`	Full structured scan result on stdout
`--strict`	Non-zero exit on critical / verified secrets
`--quiet` / `-q`	Suppress human report formatting
`--only` `secrets\|deps\|env\|gha\|rls\|url`	Run one phase only
`--severity` `critical\|high\|medium\|low\|informational`	Minimum severity to show
`--reachability`	Filter dependency CVEs by code usage (repo)
`--include-dev`	Include devDependencies in CVE scan
`--bundle-only`	URL scan: skip JS library CVE pass
`--git-history-depth` `n`	Deeper clone for `github:` targets
`--why` `"…"`	Ask about the last cached scan
`--refresh`	Ignore cache when using `--why`

Common workflows

Before deploy

zephex supply . + https://production.example.com --strict

Quick homepage check

zephex supply https://www.example.com --severity high

Secrets-only in CI

zephex supply --only secrets --strict --json > supply-report.json

Open source repo

zephex supply github:vercel/next.js --only secrets

Target

What runs

(default) or .

Full repo scan in current directory

https://… or example.com

Live URL — download public JS bundles, secrets, source maps

. + https://…

Repo scan + live URL + cross-reference

github:owner/repo

Shallow public clone, then repo scan

# Default URL scan — bundles + secrets + source mapszephex supply https://app.example.com # Secrets in bundles only (faster)zephex supply https://app.example.com --only secrets # Skip retire.js library CVE passzephex supply https://app.example.com --bundle-only # Hide informational noisezephex supply https://app.example.com --severity high

# Balanced defaultzephex supply # Single phasezephex supply --only secretszephex supply --only depszephex supply --env-onlyzephex supply --gha-onlyzephex supply --rls-only # CVE reachability (fewer false positives)zephex supply --only deps --reachability # Include devDependencies in CVE scanzephex supply --only deps --include-dev # CI exit code on critical or verified secretszephex supply --only secrets --strict

# Machine-readable full resultzephex supply --json # Minimal terminal noisezephex supply -q # Re-print last scan (local cache, ~30m)zephex supply last # Follow-up question on cached scanzephex supply --why "which findings are false positives?"zephex supply --why "explain the Supabase JWT" --refresh # Cloud history (needs API key)zephex supply history

Flag

Purpose

--json

Full structured scan result on stdout

--strict

Non-zero exit on critical / verified secrets

--quiet / -q

Suppress human report formatting

--only secrets|deps|env|gha|rls|url

Run one phase only

--severity critical|high|medium|low|informational

Minimum severity to show

--reachability

Filter dependency CVEs by code usage (repo)

--include-dev

Include devDependencies in CVE scan

--bundle-only

URL scan: skip JS library CVE pass

--git-history-depth n

Deeper clone for github: targets

--why "…"

Ask about the last cached scan

--refresh

Ignore cache when using --why

Quick Links

API Reference

Troubleshooting

Community

Plugins

Pricing

Supply Pulse commands

Before deploy

Quick homepage check

Secrets-only in CI

Open source repo

Quick Links

API Reference

Troubleshooting

Community

Plugins

Pricing

Supply Pulse commands

Before deploy

Quick homepage check

Secrets-only in CI

Open source repo