Frequently Asked Questions
Common questions about VEXLIT CLI and scanning.
Most projects scan in under 10 seconds. A 1000-file project typically completes in 3-5 seconds. Diff scans (--diff flag) are even faster since they only analyze changed files.
VEXLIT supports 34 languages: JavaScript, TypeScript, Python, Java, Go, C#, PHP, Ruby, Rust, Kotlin, Swift, Scala, C, C++, Dart, Lua, Perl, Bash, and more. Plus 6 IaC formats: Terraform, Dockerfile, Kubernetes, TOML, HCL, and CloudFormation.
Yes. The CLI runs entirely locally - no internet connection required for SAST and secret detection. SCA (dependency scanning) requires internet to query vulnerability databases. AI features require an API key.
Generate SARIF with 'vexlit scan . --sarif > results.sarif', then use the github/codeql-action/upload-sarif@v3 action in your workflow. Results appear in your repository's Security tab.
Three options: (1) Add '// vexlit-ignore-next-line RULE-ID' above the line, (2) Disable a rule globally in vexlit.config.js with 'RULE-ID: false', (3) Use the dashboard's exception management to suppress findings.
Common issues & solutions
Solutions for the most frequently encountered problems.
Error: Cannot find module '@vexlit/cli'
This usually means Node.js < 18. VEXLIT requires Node.js 18 or later. Check with 'node --version' and upgrade if needed.
Scan is slow on large projects
Use '--diff' flag to scan only changed files. For full scans, ensure node_modules and build directories are in your .gitignore (they're auto-ignored). You can also add custom ignore paths in vexlit.config.js.
Out of memory on very large codebases
Increase Node.js memory: 'NODE_OPTIONS=--max-old-space-size=4096 vexlit scan .' For projects with 10,000+ files, consider scanning in batches by directory.
SARIF upload fails in GitHub Actions
Ensure your workflow has 'permissions: security-events: write' and 'contents: read'. The SARIF file must exist - use 'if: always()' on the upload step to run even if the scan finds critical issues.
False positives in test files
Add test directories to your ignore list: create vexlit.config.js with ignore: ['__tests__/', 'test/', '*.test.ts', '*.spec.js']. Test files often contain intentional vulnerable patterns.
Want to learn more?
Deep-dive into common vulnerabilities with real code examples and prevention strategies.