Run Archon audits and gas reports from your terminal or any CI — zero dependencies, fail-on gates, JSON output.
CLI — archon-scan
archon-scan is a zero-dependency Node CLI (Node ≥ 18) that drives Archon's public API: it submits a scan, streams stage progress to your terminal, prints the findings table — and with --gas, the receipt-calibrated L2-versus-DA split — then exits nonzero when your severity gate is breached. It composes into any CI system, not just the GitHub Action. It is read-only: it never deploys, signs, or moves anything.
Run it
# via npx, no install (mirror of packages/cli in the Archon monorepo).
# Scan a deployed, verified Mantle contract — works from ANY directory, no local files:
npx --yes github:Franlinozz/archon-cli scan 0xe7043e2ec95eF357FbBa3359BA2f1edb10cEAD2a --fail-on high
# Scan your OWN Solidity — run from your project root; pass a .sol file or a folder (bundled):
npx --yes github:Franlinozz/archon-cli scan ./contracts --gas --fail-on highOr from a checkout of the Archon repo, against the bundled example contract (no npx):
node packages/cli/bin/archon-scan.mjs scan contracts/VaultV2.sol --fail-on highThe address form is the copy-paste quickstart: it needs nothing on your disk. The local forms (./contracts, a .sol file) resolve paths relative to your current directory, so run them from your project root — otherwise you'll get a clear not a file, directory, or 0x address with the directory it looked in.
Usage
archon-scan scan <file.sol | directory | 0xAddress> [options]
--gas Also run a gas report (receipt-calibrated L2/DA split)
--json Machine-readable JSON to stdout (progress -> stderr)
--fail-on <sev> Exit 2 if any finding is at/above: critical|high|medium|low
--depth <depth> quick|deep|gas-cost|full-report (default: quick)
--protocols <list> Coverage targets, comma-separated (default: mETH)
--label <name> Contract label shown in the workspace
--api <url> API base (default: $ARCHON_API or https://archonaudit.xyz)
--timeout <seconds> Max wait for completion (default: 900)Exit codes: 0 ok · 1 operational error · 2 --fail-on threshold breached.
Directories are scanned as a bundle: every .sol file (up to 80) is uploaded so imports resolve; the file declaring the most contracts becomes the entry point.
What a run looks like
Real output from a production run against a deliberately vulnerable staking contract:
00:05:59 Archon scanning RewardsDistributor.sol (depth: quick, api: https://archonaudit.xyz)
00:06:00 ▸ scan 52cf53d9-… queued
00:06:03 ▸ Static Analysis (13%)
00:06:11 ▸ Gas Optimization (50%)
00:06:17 ▸ AI Reasoning (63%)
00:08:06 ▸ Done (100%)
Findings (20 total) 2 high · 1 medium · 5 low · 12 info
HIGH Msg Value Loop RewardsDistributor.sol:37
HIGH Reentrancy Eth RewardsDistributor.sol:47
…
Risk score 90/100
Report https://archonaudit.xyz/r/d37f46d6-aded-41fc-9215-900370300111
Identified savings (per call, receipt-calibrated)
L2 execution 0.001128102 MNT (22,562 gas)
DA 0.000000000 MNT — DA priced from Mantle receipt ground truth (l1Fee)
✖ 2 finding(s) at or above "high" — failing (exit 2)In CI
Any CI that can run Node can gate merges on Archon:
- uses: actions/setup-node@v4
with: { node-version: 22 }
- name: Archon security gate
run: npx --yes github:Franlinozz/archon-cli scan contracts/ --fail-on highFor pull-request gas-diff comments with L2/DA columns, use the GitHub Action — the CLI and Action share the same public API, so results match the Audit Studio and the gas leaderboard.
--json prints the complete scan, findings, report, and gas payload for scripting:
archon-scan scan ./src --gas --json > archon.json
jq '.report.riskScore' archon.json


