CLI GUIDE

AuditWalk CLI Guide

Operator-first guide for running AuditWalk on Linux, Windows, and macOS from first scan through advisory review. Use this page for sequence and intent; use the CLI Reference for exact syntax details.

CLI Guide

Workflow learning, first-run setup, and operator sequence.

Open CLI Guide

CLI Reserve

Future vocabulary kept separate from runtime behavior.

Open CLI Reserve

Platform overview

AuditWalk helps you establish a trusted baseline, detect system drift, and interpret findings without mutating system state by default.

  • scan collects evidence.
  • baseline confirm <scan_id> creates a trusted anchor from the scan.
  • preflight performs fast verification.
  • compare computes baseline-relative drift.
  • doctor run interprets findings into advisory next steps (paid).

Use platform-native terminals and paths:

  • Linux: Bash/Zsh shell, paths like ~/.auditwalk.
  • Windows: PowerShell terminal, paths like $env:USERPROFILE\.auditwalk.
  • macOS: Terminal (zsh), paths like ~/.auditwalk.

Linux instructions

Linux is the primary CLI operating surface. Run the guided first-run path, then continue with baseline and drift workflow commands.

# Linux (bash/zsh)
auditwalk init
auditwalk scan run --profile full
auditwalk baseline confirm <scan_id>
auditwalk preflight run
auditwalk compare run --format json --out compare.json
auditwalk doctor run --format json --out doctor.json
  • Use --profile full for a complete baseline capture during initial setup.
  • Store exported artifacts in versioned run folders for reproducibility.
  • Confirm baseline state with auditwalk baseline show before automated workflows.

Windows instructions

On Windows, use PowerShell and keep output paths explicit so reports and compare artifacts are easy to archive and review.

# Windows (PowerShell)
auditwalk init
auditwalk scan run --profile full
auditwalk baseline confirm <scan_id>
auditwalk preflight run
auditwalk compare run --format json --out .\compare.json
auditwalk doctor run --format json --out .\doctor.json
  • Run commands from a PowerShell session with permissions appropriate for your scan scope.
  • Use Windows-style output destinations when scripting with task automation.
  • If a workflow references Linux-style paths, translate them to $env:USERPROFILE-based paths.

macOS instructions

On macOS, run AuditWalk from Terminal using zsh and keep baseline, compare, and advisory runs aligned with your regular operator cadence.

# macOS (zsh)
auditwalk init
auditwalk scan run --profile full
auditwalk baseline confirm <scan_id>
auditwalk preflight run
auditwalk compare run --format json --out compare.json
auditwalk doctor run --format json --out doctor.json
  • Use explicit output files during incident review sessions so compare and doctor outputs can be handed off cleanly.
  • Validate baseline presence with auditwalk baseline show before running repeated compare cycles.
  • For launchd-related drift, use compare and doctor outputs together before response actions.

Core workflow (all platforms)

There are two valid first-run paths. Use only one to avoid duplicate setup:

  • Quick path (recommended): auditwalk init for guided first-run setup.
  • Explicit path (advanced): scan run then baseline confirm <scan_id> for manual control.

Run this sequence for the standard operator path:

auditwalk scan run --profile full
auditwalk baseline confirm <scan_id>
auditwalk preflight run
auditwalk compare run --format json
auditwalk doctor run --format json
  1. scan run captures current state as evidence.
  2. baseline confirm <scan_id> creates the trusted anchor.
  3. preflight run gives a quick confidence pass.
  4. compare run returns factual drift.
  5. doctor run adds advisory interpretation (paid).

How to read results

First-run success checkpoint:

auditwalk baseline show
  • Expect an active baseline reference in output.
  • Expect a current state summary and next best command.
  1. Read compare first for factual drift details.
  2. Read doctor run second for advisory triage and next steps (paid).
  • Treat compare as source of factual state differences.
  • Treat doctor run as advisory interpretation, not execution.
  • If policy metadata appears (for example policy_suppressed), keep original vs effective severity distinctions intact.
  • If advisory state is degraded or guardrail blocked, continue manual review.

Watch vs manual workflow

watch automates repeated compare cycles at a fixed interval. Manual workflow remains valid at all times.

Manual equivalent:

auditwalk compare run
auditwalk doctor run

Continuous monitoring (Pro):

auditwalk watch run --interval 300

Use manual workflow for explicit periodic checks. Use watch for interval-based continuous detection and event output.

Common mistakes and operator notes

  • Do not skip baseline confirm. compare and preflight depend on a confirmed baseline.
  • Prefer canonical commands in automation and runbooks; use aliases for operator convenience only.
  • Use --format json when you need machine-readable output and audit trails.
  • Do not treat advisory output as repair execution.
  • If watch is unavailable in your license tier, run manual compare and use doctor run when licensed.