Run the complete Dino pipeline against your API. Discovers your schema, executes all 6 testing agents, builds an API Intelligence catalog, and saves a schema snapshot.
This is the primary command. Most workflows start here.
Usage
dino scan --tenant <id> [flags]
Flags
| Flag | Type | Default | Description |
|---|
--tenant | string | — | Required. Tenant ID (or set in .dino.yml) |
--env | string | Tenant default | Target environment (must match environments in tenant config) |
--format | "markdown" | "json" | "markdown" | Output format for the Intelligence Report |
--quiet | boolean | false | Suppress stdout output |
--verbose | boolean | false | Print resolved config defaults and debug info |
--tools | string[] | All tools | Comma-separated list of tools to run (e.g. --tools health-check,auth-probe) |
--modules | string[] | All modules | Comma-separated list of modules to scope the scan |
--reasoning | boolean | false | Enable AI-powered reasoning (requires DINO_AI_KEY) |
--timeout | number | 300000 | Pipeline timeout in milliseconds |
--snapshot-dir | string | .dino/snapshots | Directory to save schema snapshots |
--endpoint | string | From tenant config | Override the API endpoint URL |
--protocol | "graphql" | "graphql" | API protocol |
The --tenant flag can be omitted if tenant is set in your .dino.yml config file.
Authentication Flags
| Flag | Type | Default | Description |
|---|
--auth | object | { enabled: false } | Enable authenticated scanning |
--ai-key | string | DINO_AI_KEY env var | API key for AI reasoning (Pro tier) |
When --reasoning is passed without an API key (via --ai-key or DINO_AI_KEY env var), the command exits with code 1.
Pipeline Steps
- Discover — Introspects your API schema and builds an operation list
- Execute — Runs all 6 testing agents against discovered operations
- Catalog — Builds an API Intelligence catalog from results
- Snapshot — Saves a schema snapshot for future
dino diff / dino changelog comparisons
- Report — Renders the catalog as Markdown or JSON
Examples
Basic scan
dino scan --tenant acme --env production
# API Intelligence Report — acme / production
## Operations (24 discovered)
| Operation | Type | Health | Findings |
|-----------|-------|--------|----------|
| getUser | query | 92 | 1 |
| ... | ... | ... | ... |
JSON output for CI
dino scan --tenant acme --env staging --format json --quiet > report.json
dino scan --tenant acme --tools health-check,auth-probe --modules users,billing
health-check and auth-probe tools, scoped to the users and billing modules.
With AI reasoning
export DINO_AI_KEY="sk-ant-..."
dino scan --tenant acme --env qa --reasoning
Use --verbose to see which defaults Dino applied (format, timeout, snapshot directory, concurrency).
RBAC Behavior
When authentication is not configured, the rbac-matrix tool is automatically excluded from the scan — even if explicitly passed via --tools. This prevents false-positive RBAC findings on unauthenticated APIs.
A warning is printed when this occurs:
--tools includes rbac-matrix but no auth is configured. RBAC tool skipped.
Degraded Mode
If all tools fail during a pipeline run, the scan completes in degraded mode. The report is still generated but contains no test data. The exit code is 1.
WARNING: Pipeline ran in degraded mode -- all tools failed. Report contains no test data.
Exit Codes
| Code | Meaning |
|---|
0 | Pipeline completed successfully |
1 | Pipeline failed, degraded mode, or missing required config |
