Community mode is the free, open-source way to run Dev Machine Guard locally on your macOS developer machine. All scanning happens on-device. No data leaves your machine.
Back to README | See also: Reading Scan Results
git clone https://github.com/step-security/dev-machine-guard.git
cd dev-machine-guard
chmod +x stepsecurity-dev-machine-guard.sh
./stepsecurity-dev-machine-guard.shOr run directly without cloning:
curl -sSL https://raw.githubusercontent.com/step-security/dev-machine-guard/main/stepsecurity-dev-machine-guard.sh -o stepsecurity-dev-machine-guard.sh
chmod +x stepsecurity-dev-machine-guard.sh
./stepsecurity-dev-machine-guard.shDev Machine Guard supports three mutually exclusive output formats.
./stepsecurity-dev-machine-guard.shPretty mode prints a styled, human-readable report directly to your terminal, including sections for Device information, Summary counts, AI Agents and Tools, IDEs and Desktop Apps, MCP Servers, and IDE Extensions.
# Print JSON to stdout
./stepsecurity-dev-machine-guard.sh --json
# Pipe through python for formatted output
./stepsecurity-dev-machine-guard.sh --json | python3 -m json.tool
# Save to a file
./stepsecurity-dev-machine-guard.sh --json > scan.jsonJSON mode writes a single JSON object to stdout. This is useful for scripting, piping into other tools, or storing results for later analysis. See Reading Scan Results for the full schema reference.
./stepsecurity-dev-machine-guard.sh --html report.htmlHTML mode generates a self-contained HTML file with a styled report. The report can be opened in any browser and is suitable for sharing with team leads or printing.
| Flag | Description |
|---|---|
--pretty |
Pretty terminal output (this is the default if no format is specified) |
--json |
JSON output to stdout |
--html FILE |
HTML report saved to FILE |
--verbose |
Show progress messages during the scan (suppressed by default) |
--color=WHEN |
Color mode: auto (default), always, or never. In auto mode, colors are used only when stdout is a terminal. |
--enable-npm-scan |
Enable Node.js package scanning (npm, yarn, pnpm, bun). Off by default in community mode because it can be slow on machines with many projects. |
--version |
Print the scanner version and exit |
--help |
Show the full usage help and exit |
./stepsecurity-dev-machine-guard.shRuns the scan and prints a styled report to the terminal. Progress messages are suppressed by default.
./stepsecurity-dev-machine-guard.sh --verboseSame as above, but progress messages (e.g., "Detecting IDE installations...", "Found: Cursor (Cursor) v0.50.1") are printed to stderr so you can follow along.
./stepsecurity-dev-machine-guard.sh --json | jq '.ai_agents_and_tools[] | .name'Extracts the name of every detected AI tool.
./stepsecurity-dev-machine-guard.sh --json --enable-npm-scan > full-scan.jsonProduces a comprehensive JSON scan including globally installed npm/yarn/pnpm/bun packages and per-project dependency listings.
./stepsecurity-dev-machine-guard.sh --html report.html --verbose --color=neverGenerates an HTML report while showing progress messages without ANSI color codes (useful when piping stderr to a log file).
In community mode:
- No data leaves your machine. There is no backend, no API calls, no telemetry.
- The script source code is fully open. You can audit exactly what it does.
- All output is written to stdout (JSON, pretty) or to a local file (HTML). Nothing is transmitted over the network.
If you need centralized visibility across a fleet of developer machines, start a 14-day free trial by installing the StepSecurity GitHub App.
- Reading Scan Results -- understand what each section and field means
- Adding Detections -- contribute new tool or IDE detections
- SCAN_COVERAGE.md -- full catalog of supported detections
- CONTRIBUTING.md -- how to contribute to the project