Your First Scan

Noir is installed — let's take it for a spin! Point it at a project, see what it finds, and learn how to shape the output.

Run a Scan

Pick a project directory and scan it:

noir -b /path/to/your/app

Or if you're already inside the project:

noir -b .

Noir reads the source files, detects which frameworks are in use, and prints every endpoint it finds — methods, paths, parameters, headers, and cookies.

Check What Was Detected

Curious which technologies Noir picked up? Add --include-techs to see them alongside the results:

noir -b . --include-techs

To see every technology Noir knows how to analyze:

noir --list-techs

If your framework isn't listed, you can still use AI-powered analysis to detect endpoints.

Try Different Output Formats

The default output is a human-readable table. Depending on your workflow, you might want something else:

# Machine-readable JSON for scripting and pipelines
noir -b . -f json

# YAML for easy reading and config-friendly workflows
noir -b . -f yaml

# OpenAPI spec — useful for generating API docs or feeding into tools
noir -b . -f oas3

# cURL commands you can run immediately against a live target
noir -b . -f curl -u https://your-target.com

See all available formats in the Output Formats section.

Save Results to a File

Instead of printing to the terminal, write the output to a file with -o:

noir -b . -f json -o results.json

This is useful for diffing results between scans, feeding into CI pipelines, or sharing with your team.

Trace Endpoints Back to Source

Want to know exactly where an endpoint was defined? Add --include-path to show source file locations:

noir -b . --include-path

Combine it with other options for a complete picture:

noir -b . --include-path --include-techs -f json -o results.json

Focus Your Scan

Large monorepos may contain many frameworks. You can narrow the scan to what matters:

# Run only the Rails and Django detectors (skip everything else)
noir -b . --only-techs rails,django

# Force-tag the project with these techs without running their detectors
noir -b . --techs rails,django

# Scan everything except Express
noir -b . --exclude-techs express

# Skip files by glob (useful in monorepos — comma-separated)
noir -b . --exclude-path "*_test.go,vendor/*,**/node_modules/**"

--only-techs and --techs look similar but do different things: --only-techs filters the detector list (faster scan, only those detectors run), while --techs adds techs to the result without running detection (useful when you already know the stack and want to skip discovery).

Enrich the Output

A few flags add extra context to each endpoint without changing the detection pipeline:

# Attach 1-hop handler callees (function/method calls inside the route body)
noir -b . --include-callee

# Attach an AI-review-ready context (guards, callees, sinks, validators, signals)
noir -b . --ai-context

See Callee Coverage and AI Context for the data shape and per-framework support.

Quick Reference

Flag	What it does
`-b <path>`	Directory to scan
`-f <format>`	Output format (json, yaml, oas3, curl, etc.)
`-o <file>`	Write output to a file
`-u <url>`	Base URL for cURL/HTTPie output
`--include-path`	Show source file locations
`--include-techs`	Show detected technologies
`--include-callee`	Attach 1-hop handler callees
`--ai-context`	Attach guards, sinks, validators, and signals for AI review
`--set-pvalue` / `--set-pvalue-<type>`	Fill parameter values in output (see HTTP Client Commands)
`--only-techs`	Run only these tech detectors (skip the rest)
`--techs`	Force-tag these techs without running their detectors
`--exclude-techs`	Skip these frameworks
`--exclude-path`	Skip files matching a comma-separated glob list
`--status-codes`	Probe each endpoint and attach the observed HTTP status code
`--exclude-codes`	Drop endpoints whose probed status matches (comma-separated; pairs with `--status-codes`)
`--config-file <path>`	Load default options from a YAML config file
`--concurrency <N>`	Worker count (default: CPU cores)
`--cache-disable`	Disable the LLM response cache for this run
`--cache-clear`	Clear the LLM response cache before running
`--verbose`	Detailed logging
`--no-log`	Suppress all logs
`--no-color`	Disable ANSI colors in plain output
`--build-info`	Print noir / Crystal / LLVM versions and target triple
`--help`	Full help
`--help-all`	Full help with examples and environment variables

You've completed the Getting Started guide! Here's what to explore next:

Configurations — Set default options so you don't repeat flags every time
Output Formats — Dive deeper into all output formats
Passive Scan — Scan for security issues like hardcoded secrets and misconfigurations
AI Power — Use AI to detect endpoints in unsupported frameworks