Getting Started

From zero to your first scan in under 2 minutes.

You don't need to be a security expert. Doorman explains everything it finds in plain English. Just run one command and it tells you exactly what to fix, why it matters, and how to fix it — often automatically. If you're building with AI tools like Claude, Cursor, or Copilot, Doorman is your safety net before you ship.

Prerequisites #

Quick Start #

Run a scan on your current directory with a single command:

npx getdoorman check

Or scan a specific path:

npx getdoorman check ./src

Doorman automatically detects your tech stack, selects the right rules, and scans your code. No configuration needed.

Understanding the Output #

After a scan completes, you'll see a report with three key sections:

Safety Score

A score from 0 to 100 indicating how safe your code is to ship. Scores above 70 are generally considered safe.

Score: 82/100SAFE TO LAUNCH

Findings by Category

Issues are grouped into 10 categories:

Severity Levels

Each finding has a severity level:

SeverityMeaningWhy it matters
CRITICALMust fix before shipping. Active security risk or data loss.Your app could get hacked or lose user data
HIGHShould fix soon. Significant risk or major performance issue.Could cause downtime or leak sensitive info
MEDIUMFix when possible. Moderate risk or best practice violation.Should fix before going to production
LOWNice to fix. Minor improvement or informational.Nice to fix, won't break anything
INFOInformational suggestion. No immediate risk.Just a suggestion to improve your code

Fixing Issues #

Doorman finds the problems. Your AI fixes them. Run doorman fix to generate a prompt you can paste into Claude, Codex, or Cursor.

Fix critical issues:

npx getdoorman fix critical

Fix critical + high:

npx getdoorman fix high

Fix everything:

npx getdoorman fix all

If you're already in Claude Code or Cursor, just run the command — Doorman detects your environment and outputs the prompt directly. Your AI sees it and starts fixing.

Or just tell your AI:

"Run npx getdoorman check and fix the critical issues"

Your AI runs the scan, sees the results, and fixes them. That's it.

Pre-Commit Hook #

Set up a git pre-commit hook so Doorman runs before every commit:

npx getdoorman init

This creates a .doormanrc config file and installs a pre-commit hook. The hook blocks commits if the safety score falls below the configured threshold.

Configuration #

While Doorman works with zero config, you can customize it with a .doormanrc file in your project root:

{
  "preset": "recommended",           // Which rule set to use (recommended, strict, or minimal)
  "minScore": 70,                     // Fail if safety score drops below this
  "categories": [                     // Which categories to scan (remove any you don't need)
    "security",
    "performance",
    "reliability",
    "cost"
  ],
  "severity": "medium",              // Only show medium+ issues (hides low and info)
  "ignore": [                         // Rules to skip (add rule IDs here)
    "SEC-XSS-003",
    "PERF-CACHE-002"
  ],
  "paths": {
    "include": ["src/", "lib/"],      // Only scan these folders
    "exclude": ["test/", "vendor/"]   // Skip these folders
  }
}

Presets

PresetDescriptionGood for
recommendedBalanced defaults. All categories, medium+ severity. Best for most projects.Most projects, startups, side projects
strictAll rules, all severities. For security-critical applications.Healthcare, finance, apps handling payments
minimalCritical and high severity only. Fast scans for large codebases.Large legacy codebases, gradual adoption

Next Steps #