undefined — vet docs

Use the --only flag to run a subset of probes. Useful for re-checking fixes, running fast passive-only scans, or isolating specific ASVS controls.

Basic usage

# Scan only security headers
vet https://your-app.com --only headers

# Scan headers and TLS
vet https://your-app.com --only headers,tls

# Scan with verbose output to see progress
vet https://your-app.com --only headers,tls --verbose

Category names and aliases

Each probe has a short name and a full category name. Either works with --only.

Short name	Full category name	ASVS section	Probe type
`headers`	`security_headers`	V9.1.x	Passive
`methods`	`method_enforcement`	V9.2.x	Passive
`errors`	`error_disclosure`	V7.4.x	Passive
`tls`	`tls_ssl`	V9.3.x	Passive
`cors`	`cors`	V9.4.x	Passive
`injection`	`input_validation`	V5.x	Active

Examples:

# These are equivalent
vet https://your-app.com --only headers
vet https://your-app.com --only security_headers

# Mix short and long names
vet https://your-app.com --only headers,tls_ssl,cors

Passive vs. active probes

Passive probes inspect responses without sending attack payloads. Active probes send SQL injection, XSS, and path traversal payloads.

# Safe for production — passive probes only
vet https://production.your-app.com --only headers,tls,cors,methods,errors

# Active probes — use on staging/test environments
vet https://staging.your-app.com --only injection

# Everything (default when --only is omitted)
vet https://staging.your-app.com

Passive probes run in parallel. Active probes run sequentially to avoid triggering rate limits.

Combining with —verbose

The --verbose flag writes progress to stderr while JSON output goes to stdout. This lets you pipe JSON to jq while watching progress:

vet https://your-app.com --only headers,cors --verbose 2>/dev/null | jq '.result.summary'

Or watch progress and save results:

vet https://your-app.com --only headers --verbose > results.json

Verbose output looks like:

Discovering endpoints for https://your-app.com...
Found 8 endpoints
Running 1 passive probes in parallel...
  [headers] starting...
  [headers] done (64 checks)

Re-scan failing categories

After a full scan, the next_actions field suggests re-scanning failing categories:

{
  "next_actions": [
    {
      "command": "vet scan https://your-app.com --only security_headers,cors --verbose",
      "description": "Re-scan 2 failing categories with verbose output"
    }
  ]
}

Copy-paste the suggested command to re-check just the categories you fixed.

Invalid category names

If you pass an unknown category, vet prints a warning to stderr and lists valid names:

vet https://your-app.com --only bogus
# stderr: Warning: unknown categories: bogus. Valid: headers, methods, errors, tls, cors, injection

If no categories match, vet warns and produces an empty report.

Summary format with categories

Combine --only with --format summary for a compact pass/fail overview:

vet https://your-app.com --only headers,tls --format summary | jq .

{
  "ok": true,
  "command": "scan",
  "result": {
    "target": "https://your-app.com",
    "summary": { "pass": 30, "fail": 2, "warn": 1, "skip": 0 },
    "endpoints_scanned": 8,
    "category_statuses": {
      "security_headers": "fail",
      "tls_ssl": "pass"
    }
  }
}