CLI

Audit plugins from your terminal

One command to trigger a full audit, check severity thresholds, and pull findings — all from the terminal. Zero install required thanks to npx.

npx @wphealthkit/cli audit contact-form-7

Install the CLI Read docs

Installation

No global install required for one-off use. Run via npx without adding to your PATH:

npx @wphealthkit/cli audit contact-form-7

For CI/CD environments, global install and authentication are recommended:

npm install -g @wphealthkit/cli
wphealthkit auth login

Authenticate once — credentials are stored in ~/.wphealthkit/config.json and reused across sessions.

Key commands

npx @wphealthkit/cli audit contact-form-7

Run a full security audit on a plugin by slug.

npx @wphealthkit/cli check contact-form-7 --severity critical

Check for findings above a severity threshold. Exit code 1 if found.

npx @wphealthkit/cli report aud_01J8X... --format json

Retrieve a full report by audit ID in JSON, table, or markdown format.

npx @wphealthkit/cli findings aud_01J8X... --severity high

List findings filtered by severity with file, line, and fix hints.

How developers use the CLI

Local development

Run an audit before pushing. The CLI exits with code 0 (no findings) or code 1 (findings found at or above your severity threshold) — easy to script as a pre-push gate.

# Block push if critical findings found
npx @wphealthkit/cli check ./my-plugin.zip --severity critical && git push

Pre-commit hook

Add to .git/hooks/pre-commit or use with Husky to block commits that introduce security regressions.

#!/bin/sh
npx @wphealthkit/cli check ./my-plugin --severity high --exit-on-finding

GitHub Actions

Gate pull requests on a security score. Fails the build if critical or high findings are introduced.

- name: WP HealthKit Audit
  run: |
    npx @wphealthkit/cli audit ./plugin.zip \
      --severity high \
      --format github \
      --fail-on-finding
  env:
    WPHEALTHKIT_API_KEY: ${{ secrets.WPHEALTHKIT_API_KEY }}

Sample output

npx @wphealthkit/cli audit contact-form-7

# Output
Auditing contact-form-7...
Grade: B  |  Findings: 4 (1 critical, 2 high, 1 medium)

Critical:
  ✗ Missing <Link href="/learn/nonce">nonce</Link> verification  →  includes/submission.php:142
  Fix: add check_ajax_referer() before processing form data

Output formats

Format	Flag	Use case
Table (default)	--format table	Human-readable terminal output
JSON	--format json	Machine-readable for scripting
Markdown	--format markdown	PR comments, documentation
GitHub	--format github	GitHub Actions inline annotations

Exit codes

Code	Meaning
0	No findings at or above the severity threshold
1	One or more findings found
2	Audit failed (API error, invalid ZIP, timeout)
3	Authentication error — run wphealthkit auth login

Full CLI documentation

Full CLI reference — all commands, flags, environment variables, and config file options — is in the developer docs.

Add WP HealthKit to your terminal

Install, authenticate once, and audit WordPress plugins from your workflow.

Get started