How to Use Secho Scanner

Complete documentation for the CLI scanner and client portal — from installation to reading your results.

Installation

Secho Scanner is a single self-contained binary. Download it from your client portal after logging in, or follow the instructions below.

macOS

# Download from your portal, then:
gunzip secho_darwin_arm64.gz        # or secho_darwin_amd64.gz for Intel
chmod +x secho_darwin_arm64
sudo mv secho_darwin_arm64 /usr/local/bin/secho

# Allow Gatekeeper on first run
xattr -d com.apple.quarantine /usr/local/bin/secho

Linux

curl -L -o secho.gz "https://<signed-url-from-portal>"
gunzip secho.gz
chmod +x secho
sudo mv secho /usr/local/bin/secho

# Verify GPG signature (recommended)
curl -L -o secho.asc "<sig-url-from-portal>"
curl -L -o secho_key.asc "<key-url-from-portal>"
gpg --import secho_key.asc
gpg --verify secho.asc secho

Windows

# PowerShell
Invoke-WebRequest -Uri "<signed-url>" -OutFile secho.exe.gz
tar -xzf secho.exe.gz
Move-Item secho.exe C:\Windows\System32\secho.exe
Download links are authenticated and expire in 60 seconds. Visit your portal download page to generate fresh links.

Your API Key

Every scan requires a valid API key. Keys begin with secho_live_. Find yours in the portal under the home page API Key section.

Pass it with every command using --api-key:

secho scan example.com --api-key secho_live_xxxxxxxxxxxx
Never share your API key. Each scan deducts one credit from your account whether results are uploaded to the portal or output locally.

First Scan

The fastest way to run your first scan is a TPRM scan against any domain:

secho scan example.com --api-key secho_live_xxxxxxxxxxxx

After the scan completes, results upload automatically to your portal and a dashboard URL is printed. The scan takes 30–90 seconds depending on the target.

Third-Party Risk (TPRM) Scan

Assesses a vendor's external security posture across DNS, SSL, email security, open ports, breach history, threat intelligence, and prohibited vendor checks.

secho scan vendor.com --api-key secho_live_xxx
secho scan vendor.com --api-key secho_live_xxx --getResults text
secho scan vendor.com --api-key secho_live_xxx --getResults json > result.json

--getResults text prints results to the terminal without opening the portal. --getResults json outputs machine-readable JSON. In both cases a credit is still deducted and results are uploaded to the portal.

GCP Cloud Audit

Audits a Google Cloud project for IAM misconfigurations, storage exposure, firewall rules, compute security, Cloud SQL, GKE, logging, and event detection. Requires Application Default Credentials (ADC).

# Authenticate first
gcloud auth application-default login

# Run audit
secho scan --type=cloud --cloud=gcp --project=my-gcp-project-id \
  --api-key secho_live_xxx

The scanner uses your current ADC context. Ensure the authenticated account has Security Reviewer and Cloud Asset Viewer roles.

AWS Cloud Audit

Audits your AWS account for IAM, S3, EC2, RDS, CloudTrail, load balancers, Lambda, API Gateway, CloudFront, ECS, and OpenSearch exposure.

# Configure credentials first
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_DEFAULT_REGION=us-east-1

# Or use a named profile
export AWS_PROFILE=my-profile

secho scan --type=cloud --cloud=aws --api-key secho_live_xxx

The IAM user or role needs SecurityAudit and ReadOnlyAccess managed policies.

GitHub Organization Audit

Audits your GitHub organization for repository settings, secrets exposure, branch protections, Actions security, supply chain risks, and access permissions.

secho scan --type=github --org=your-org-name \
  --github-token=ghp_xxxxxxxxxxxx \
  --api-key secho_live_xxx

The GitHub token requires read:org, repo, and read:packages scopes. A fine-grained token scoped to your organization works best.

AI Security Audit

Audits GCP or AWS AI/ML infrastructure — Vertex AI, Cloud Functions, Secret Manager, IAM for AI workloads, training data exposure, and benchmark mapping against NIST AI RMF.

# GCP AI Audit
secho scan --type=ai-audit --cloud=gcp --project=my-project \
  --api-key secho_live_xxx

# AWS AI Audit
secho scan --type=ai-audit --cloud=aws --api-key secho_live_xxx

Document Audit

Scans local directories, files, or cloud storage (S3/GCS) for EO18/NDAA §889 compliance issues — prohibited vendor references and missing FAR/DFARS clauses. Supports two scan depths: light (pattern matching, no AI, no extra credentials) and deep (pattern matching + AI analysis).

Light scan — no AI required

Pattern matching only. No AI provider needed. Works offline. Point at any directory, file, S3 bucket, or GCS bucket.

secho scan --type=doc-audit \
  --path=/path/to/contracts \
  --api-key=secho_live_xxx

Deep scan — Vertex AI (FedRAMP, recommended for federal)

Uses Google Vertex AI via Application Default Credentials. No --ai-api-key needed — authentication is handled by your local gcloud credentials.

Step 1 — Authenticate once:

gcloud auth application-default login

Step 2 — Run the scan:

secho scan --type=doc-audit \
  --path=/path/to/contracts \
  --scan-depth=deep \
  --ai-provider=vertex \
  --project=your-gcp-project-id \
  --api-key=secho_live_xxx
Note: The GCP project must have the Vertex AI API enabled (gcloud services enable aiplatform.googleapis.com) and your account must have the roles/aiplatform.user IAM role. The default model is gemini-2.0-flash.

Deep scan — Gemini API

Calls the Gemini API directly. Requires a Gemini API key from aistudio.google.com. Not FedRAMP authorized — for commercial use only. Requires a paid Gemini account (free tier has strict rate limits).

secho scan --type=doc-audit \
  --path=/path/to/contracts \
  --scan-depth=deep \
  --ai-provider=gemini \
  --ai-api-key=AIza... \
  --api-key=secho_live_xxx

Deep scan — OpenAI

Uses OpenAI GPT-4o. Requires an API key from platform.openai.com. Not FedRAMP authorized — for commercial use only.

secho scan --type=doc-audit \
  --path=/path/to/contracts \
  --scan-depth=deep \
  --ai-provider=openai \
  --ai-api-key=sk-... \
  --api-key=secho_live_xxx

Cloud storage sources

# AWS S3 — uses your local AWS credentials (~/.aws/credentials)
secho scan --type=doc-audit \
  --path=s3://my-bucket/contracts/ \
  --api-key=secho_live_xxx

# GCP Cloud Storage — uses gcloud ADC credentials
secho scan --type=doc-audit \
  --path=gs://my-bucket/vendor-docs/ \
  --api-key=secho_live_xxx
AI provider comparison:
vertex — FedRAMP High authorized, uses gcloud ADC, requires --project, no API key needed
gemini — Not FedRAMP, requires --ai-api-key, paid tier recommended
openai — Not FedRAMP, requires --ai-api-key
Supported file types: PDF, DOCX, TXT, CSV, XLSX, MD
Privacy: Document text is never stored. Only findings metadata (file name, severity, matched vendor, clause reference) is uploaded to the portal.

All Flags

FlagDescription
--api-keyYour Secho API key (required)
--typeScan type: tprm, cloud, github, ai-audit
--cloudCloud provider: gcp or aws (cloud/ai-audit only)
--projectGCP project ID
--orgGitHub organization name
--github-tokenGitHub personal access token
--getResults textPrint results to terminal, still uploads to portal
--getResults jsonOutput results as JSON to stdout, still uploads to portal
--quietSuppress all terminal output
--verboseShow detailed findings in terminal output
--pathPath to scan: local dir/file, s3://bucket/prefix, or gs://bucket/prefix (required for doc-audit)
--scan-depth light|deeplight = pattern matching only, no AI, no extra credentials (default); deep = pattern matching + AI
--ai-provider vertex|gemini|openaiAI provider for deep scan. vertex = FedRAMP, uses gcloud ADC (default); gemini/openai require --ai-api-key
--ai-api-keyAPI key for gemini or openai. Not needed for vertex — uses gcloud application-default credentials
--projectGCP project ID — required when using --ai-provider=vertex
--recursiveRecurse into subdirectories (default: true)

Logging into the Portal

The portal is at portal.secho.ai. Sign in with Google or Microsoft. Access is restricted — if you cannot log in, contact your administrator to be added.

Reading Your Scan Results

Each scan appears in the Scans list with a score out of 100 and a letter grade. Click any scan to open the detail view with the following tabs:

  • Overview — score breakdown, finding counts by severity, top findings
  • Findings — full list of all checks with severity, detail, and remediation steps
  • Threat Intelligence — Shodan CVE data, GreyNoise IP classification, Feodo botnet C2 checks, breach history
  • Event Detection — (cloud scans only) real-time suspicious activity from Cloud Audit Logs
  • Public Exposure — (cloud scans only) all public-facing IPs, hostnames, load balancers, functions, and databases
  • Benchmarks — mapping to CIS, NIST 800-53, SOC 2, FedRAMP, PCI DSS, NIST AI RMF

Accepting Risks

If a finding is a known acceptable risk, you can mark it as accepted directly in the portal. Click Accept Risk on any finding, enter a required justification comment, and the finding is excluded from your score calculation. Accepted risks can be revoked at any time. All acceptances are logged with the accepting user's email and timestamp.

Downloading the Scanner Binary

After logging in, go to Download Secho Scanner from the portal home page. Download links are authenticated and expire in 60 seconds — refresh the page to generate new ones if a link expires. Linux binaries include a GPG signature from security@sechosecurity.io for verification.