Developer workflow

Secure AI-generated code without slowing developers down.

Start with the cognium-ai CLI, then connect staging CI when generated pull requests need semantic SAST, verification evidence, and policy control.

Request pilot View open source

quickstart

# install cognium-ai
npm install -g cognium-ai

# scan a repository and export SARIF
cognium-ai scan ./src --format sarif -o results.sarif

✓ semantic data-flow scan complete
! CWE-89 SQL injection path found

Command documentation

Copy-paste commands for local scans and CI.

Install the cognium-ai CLI from npm, run it against a directory, and choose the output format that matches your workflow. Start locally, then move the same command into pull requests once the signal looks right.

Install

Install once on a workstation or CI runner.

npm install -g cognium-ai
cognium-ai --help

Scan

Point the scanner at source, a service folder, or the repo root.

cognium-ai scan ./src
cognium-ai scan .

Export

Generate SARIF for GitHub code scanning and security review tools.

cognium-ai scan ./src \
  --format sarif \
  -o results.sarif

Command options

Use the same CLI in pre-commit, CI, and review gates.

The useful pattern is simple: scan broadly during local development, export SARIF for pull requests, run trust and quality checks when needed, and use severity thresholds only when the team is ready to block merges.

Open-source quickstartInstall cognium-ai and run the first local scan.Benchmark methodologyReproduce detection numbers before adopting a gate.Hugging Face artifactsReview public benchmark summaries, demo Spaces, and evaluation metadata as they are published.LLM enrichment guideCompare Ollama, GitHub Models, and OpenAI-compatible setups.Semantic SAST overviewUnderstand what the scanner traces and why findings are actionable.

common commands

# report high severity findings and above
cognium-ai scan ./src --severity high

# trust and quality scores
cognium-ai trust ./src -f json -o trust.json
cognium-ai quality ./src -f json -o quality.json

# quiet mode for scripts and hooks
cognium-ai scan . --severity critical -q

# pre-commit gate
if ! cognium-ai scan . --severity critical -q; then
  echo "Blocked: critical vulnerabilities found"
  exit 1
fi

Full CLI surface

Cover security, trust, quality, specs, and environment checks.

The cognium-ai CLI also includes commands for generating Specifica specs, checking code-to-spec drift, initializing project config, and validating local setup before CI rollout.

Generate specs

Create Specifica documentation from source so generated code has a reviewable behavioral baseline.

cognium-ai generate-spec ./src --all

Check spec drift

Compare code against the generated or curated spec and fail CI when alignment drops below threshold.

cognium-ai spec-diff ./src \
  --threshold 70 \
  --exit-code

Prepare environment

Create config, verify LLM settings, and print component versions before promoting the scanner into CI.

cognium-ai init
cognium-ai doctor
cognium-ai version

Advanced runs

Run bundled reviews and stream output for larger repositories.

For larger scans, use the built-in review bundles and JSONL streaming mode so results can be consumed incrementally by CI or downstream review systems.

Trust verificationTurn CLI output into review evidence and policy decisions.Agent orchestrationRoute higher-risk generated changes through controlled review paths.Pilot setupConnect one staging repo and tune thresholds before production gates.

advanced commands

# security-focused bundled review
cognium-ai ./src --bundle security-review

# stream machine-readable results
cognium-ai ./src \
  --stream-output out.jsonl \
  --memory-efficient

Why developers care

Clear security feedback at the point of change.

Developers do not need another dashboard that only security can interpret. Cognium produces findings that map source to sink, explain the exploit path, and fit into existing code review tools.

Local first

Run scans before opening a pull request. Validate generated code while the context is still fresh.

CI native

Export SARIF, wire GitHub code scanning, and enforce branch policy without replacing your build system.

Framework aware

Model request sources, sanitizers, encoders, and sinks used by real application frameworks.

CI example

Add semantic SAST to pull requests.

Start in report-only mode, then move selected repositories to blocking gates once the signal is tuned.

Semantic SAST scannerHow Cognium traces generated code paths.AI trust verificationHow scan output becomes a trust decision.Skills trust registryHow agent tools and MCP servers enter the trust model.

.github/workflows/cognium.yml

name: Cognium
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g cognium-ai
      - run: cognium-ai scan . --format sarif -o cognium.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: cognium.sarif

Configuration

Tune rules to match your codebase.

Developer adoption improves when the scanner understands local frameworks, wrappers, and safe helper APIs. Cognium supports source, sink, and sanitizer definitions that teams can evolve with the codebase.

cognium.yaml

sources:
  - pattern: req.getParameter
  - pattern: request.query

sinks:
  - pattern: db.query
    cwe: CWE-89

sanitizers:
  - pattern: escapeHtml
  - pattern: preparedStatement

Good developer experience means low ambiguity.

Findings include source, path, sink, and remediation guidance.
Rules can model internal framework helpers and safe wrappers.
CI output can start as advisory before becoming a merge gate.
Open-source usage gives developers a path to inspect and contribute definitions.

Evaluate before adoption

What a developer should verify first.

Before a team adds any security gate, developers need proof that the tool is installable, inspectable, and reproducible. Cognium should make those checks obvious.

Run it locally

Install with npm and scan a repository before introducing CI policy or enterprise controls.

Open quickstart

Inspect the source

Review the scanner, CI examples, issues, and documentation before trusting generated-code findings.

View GitHub

Reproduce benchmarks

Check the benchmark harness and raw methodology so adoption is based on evidence, not marketing claims.

View benchmarks

Developer paths

Choose the path that matches your team.

Cognium should be easy to try independently and straightforward to graduate into enterprise governance.

Path	Best for	Next step
cognium-ai CLI	Developers validating semantic SAST locally or in public CI.	Install from npm and scan a repo.
GitHub Action	Teams that want SARIF in pull requests without workflow migration.	Add the workflow and run report-only first.
Enterprise pilot	Teams adopting coding agents across private repositories.	Connect one staging repo and tune policy thresholds.

Developers: visit cognium.dev for open-source tools.

Start with the open-source tools, then connect one staging repository when you are ready to verify AI-generated pull requests in CI.

Request pilot View open source