> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ubiquex.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ubx scan

> Static security scan of .xcl files — built-in rules, no external dependencies.

`ubx scan` runs a static security analysis of `.xcl` files using built-in rules. No OPA, no external tools required. It checks for common security misconfigurations before deployment.

## Usage

```bash theme={"theme":"css-variables","languages":{"custom":["/languages/xcl.json"]}}
ubx scan [path] [flags]
```

## Flags

| Flag                 | Description                                                     |
| -------------------- | --------------------------------------------------------------- |
| `--severity <level>` | Minimum severity to report: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` |
| `--fix`              | Auto-fix issues in place (rewrites `.xcl` source)               |

## Examples

```bash theme={"theme":"css-variables","languages":{"custom":["/languages/xcl.json"]}}
ubx scan                          # scan all .xcl in current directory
ubx scan ./networking             # scan a specific directory
ubx scan --severity HIGH          # show only HIGH and CRITICAL
ubx scan --fix                    # auto-fix fixable issues
```

## Output

```
  MEDIUM  networking/stack.xcl:12  S3 bucket has public read access
  HIGH    networking/stack.xcl:24  Security group allows 0.0.0.0/0 on port 22
  LOW     platform/stack.xcl:8     RDS deletion protection is disabled

  3 issues found: 0 CRITICAL, 1 HIGH, 1 MEDIUM, 1 LOW
```

## Auto-fix

`--fix` rewrites `.xcl` source in place for fixable issues. Not all issues are auto-fixable — advisory issues require manual review.

After `--fix`, run:

```bash theme={"theme":"css-variables","languages":{"custom":["/languages/xcl.json"]}}
ubx validate   # ensure fixes are valid
ubx fmt        # reformat the fixed files
```

## Disabling scan

Disable scan in `workspace.xcl`:

```xcl theme={"theme":"css-variables","languages":{"custom":["/languages/xcl.json"]}}
workspace {
  scan {
    enabled = false
  }
}
```

With `scan.enabled = false`, `ubx scan` prints a notice and exits 0.

## Built-in rules

ubx scan checks for common issues including:

* S3 buckets with public access
* Security groups with open ingress/egress (0.0.0.0/0)
* RDS instances without deletion protection
* Unencrypted storage volumes
* IAM policies with overly broad permissions (`*:*`)
* Load balancers without HTTPS listeners
* Missing resource tags

## Exit codes

| Code | Meaning                                                 |
| ---- | ------------------------------------------------------- |
| `0`  | No issues at or above severity threshold                |
| `1`  | One or more issues found at or above severity threshold |
