CLI GUIDE

CLI Guide

Operator-first guide for running AuditWalk from first scan through advisory review. Use this page for sequence and intent; use the CLI Reference for exact syntax details.

CLI Guide

Workflow learning, first-run setup, and operator sequence.

Open CLI Guide

CLI Reserve

Future vocabulary kept separate from runtime behavior.

Open CLI Reserve

What AuditWalk does

AuditWalk helps you establish a trusted baseline, detect system drift, and interpret findings without mutating system state by default.

  • scan collects evidence.
  • baseline set marks trusted reference state.
  • preflight performs fast verification.
  • compare computes baseline-relative drift.
  • doctor interprets findings into advisory next steps.

Core manual workflow

Run this sequence for the standard operator path:

auditwalk scan run --profile full
auditwalk baseline set --scan-id <scan_id>
auditwalk preflight run
auditwalk compare run --format json
auditwalk doctor run --format json
  1. scan run captures current state as evidence.
  2. baseline set creates the trusted anchor.
  3. preflight run gives a quick confidence pass.
  4. compare run returns factual drift.
  5. doctor run adds advisory interpretation.

First-session walkthrough

  1. Run a full scan.
    auditwalk scan run --profile full
  2. Capture produced scan_id and set baseline.
    auditwalk baseline set --scan-id <scan_id>
  3. Run preflight for baseline-referenced posture.
    auditwalk preflight run
  4. Run compare and save JSON output.
    auditwalk compare run --format json --out compare.json
  5. Run doctor and save advisory output.
    auditwalk doctor run --format json --out doctor.json

How to read results

  1. Read compare first for factual drift details.
  2. Read doctor second for advisory triage and next steps.
  • Treat compare as source of factual state differences.
  • Treat doctor as advisory interpretation, not execution.
  • If policy metadata appears (for example policy_suppressed), keep original vs effective severity distinctions intact.
  • If advisory state is degraded or guardrail blocked, continue manual review.

Watch vs manual workflow

watch automates repeated compare cycles at a fixed interval. Manual workflow remains valid at all times.

Manual equivalent:

auditwalk compare run
auditwalk doctor run

Continuous monitoring (Pro):

auditwalk watch run --interval 300

Use manual workflow for explicit periodic checks. Use watch for interval-based continuous detection and event output.

Common mistakes and operator notes

  • Do not skip baseline set. compare and preflight depend on baseline context.
  • Prefer canonical commands in automation and runbooks; use aliases for operator convenience only.
  • Use --format json when you need machine-readable output and audit trails.
  • Do not treat advisory output as repair execution.
  • If watch is unavailable in your license tier, run manual compare + doctor workflow.