CLI
Audit WordPress plugins from your terminal or integrate WP HealthKit into any CI/CD pipeline.
Installation
Install globally with npm, or run without installing using npx:
# Install globally npm install -g @wphealthkit/cli # Or run without installing npx @wphealthkit/cli audit contact-form-7
Node.js 18 or later is required. Verify your installation:
$ wphk --version @wphealthkit/cli v1.0.0
Authentication
There are two ways to authenticate. In interactive environments, use the login command. In CI/CD, set the WPHK_API_KEY environment variable.
Interactive login
$ wphk login ? Enter your API key: whk_live_... Authenticated as [email protected] (Agency plan)
Environment variable
export WPHK_API_KEY=whk_live_your_key wphk audit contact-form-7
Get your API key in Settings → API Keys. A Pro plan or higher is required.
Commands
wphk loginAuthenticate interactively. Prompts for your API key and saves it to ~/.wphk/config.
Usage
wphk login
Example
$ wphk login ? Enter your API key: whk_live_... Authenticated as [email protected] (Agency plan)
wphk auditAudit a plugin by wp.org slug or local ZIP path. Polls until complete and prints a summary.
Usage
wphk audit <slug|path> [options]
Example
$ wphk audit contact-form-7 Auditing contact-form-7... done in 38s Plugin: Contact Form 7 v5.9.8 Risk: LOW Findings: 3 (0 critical, 0 high, 2 medium, 1 low) Report: https://wphealthkit.com/results/aud_abc123
wphk audit --fileAudit a local ZIP file directly rather than fetching from wp.org.
Usage
wphk audit --file ./my-plugin.zip
Example
$ wphk audit --file ./my-plugin.zip Uploading my-plugin.zip... done Auditing... done in 42s Plugin: My Plugin v1.0.0 Risk: HIGH Findings: 14 (0 critical, 3 high, 8 medium, 3 low)
wphk statusCheck the status of a previously started audit by ID.
Usage
wphk status <audit-id>
Example
$ wphk status aud_01j9x4r2v8kz3m7p6nq5w0c1d Status: completed Risk: LOW Report: https://wphealthkit.com/results/aud_01j9x4r2v8kz3m7p6nq5w0c1d
wphk findingsPrint findings for a completed audit, with optional severity filter.
Usage
wphk findings <audit-id> [--severity critical|high|medium|low]
Example
$ wphk findings aud_abc123 --severity high 3 high-severity findings: [HIGH] includes/class-handler.php:142 Direct database query without prepared statement [HIGH] src/api/endpoint.php:87 Missing nonce verification on POST handler
wphk usageShow your current plan, audit quota usage, and rate limit status.
Usage
wphk usage
Example
$ wphk usage Plan: Agency Audits: 47 / 200 used (resets 2025-05-01) API calls: 312 today
CI/CD Integration
Use the CLI in GitHub Actions (or any CI system) to block merges when high-severity issues are found. The wphk audit command exits with code 1 if findings at or above the specified severity are detected.
GitHub Actions
# .github/workflows/audit.yml
name: Plugin Security Audit
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Audit plugin
env:
WPHK_API_KEY: ${{ secrets.WPHK_API_KEY }}
run: npx @wphealthkit/cli audit my-plugin-slug --fail-on high
# Or audit a built ZIP artifact
- name: Audit plugin ZIP
env:
WPHK_API_KEY: ${{ secrets.WPHK_API_KEY }}
run: npx @wphealthkit/cli audit --file ./dist/my-plugin.zip --fail-on highGitLab CI
audit:
image: node:20
script:
- npx @wphealthkit/cli audit my-plugin-slug --fail-on high
variables:
WPHK_API_KEY: $WPHK_API_KEYExit codes
0— Audit passed (no findings at or above --fail-on threshold)1— Audit failed (findings found at or above threshold)2— API error or network failure