GETTING STARTED

From zero to first score in 5 minutes

Download the CLI, run one smart command, and open your dashboard. Gravio auto-discovers setup, auth, project linking, scan, and publish.

Step 1

Download the Gravio CLI

One file, no install. Save gravio.mjs in the project folder you want to scan.

macOS / Linux:

curl -fsSL https://gravio.dev/cli/gravio.mjs -o gravio.mjs

Windows (PowerShell):

Invoke-WebRequest https://gravio.dev/cli/gravio.mjs -OutFile gravio.mjs

Verify

Verify checksum and signature metadata

Use the public manifest at /cli/manifest.json to verify the downloaded file integrity before first run.

Windows (PowerShell checksum check):

$manifest = Invoke-RestMethod https://gravio.dev/cli/manifest.json
$expected = $manifest.cli.sha256.ToLower()
$actual = (Get-FileHash .\gravio.mjs -Algorithm SHA256).Hash.ToLower()
if ($actual -eq $expected) { "Checksum OK" } else { throw "Checksum mismatch" }

macOS / Linux checksum check:

expected=$(curl -fsSL https://gravio.dev/cli/manifest.json | node -e "let d='';process.stdin.on('data',c=>d+=c).on('end',()=>console.log(JSON.parse(d).cli.sha256))")
actual=$(sha256sum gravio.mjs | awk '{print $1}')
[ "$actual" = "$expected" ] && echo "Checksum OK" || (echo "Checksum mismatch"; exit 1)

Signature note: manifest includes signature fields. If signature.algorithm is none, detached signature is not yet published. If signature urls are present, verify with OpenSSL:

openssl dgst -sha256 -verify gravio-cli-public.pem -signature gravio.mjs.sig gravio.mjs

Step 2

Run one smart command

This single command handles setup, auth, project linking, local scan, and cloud publish. It skips steps that are already done.

$env:GRAVIO_TOKEN='gv_sign_in_to_auto_fill_token'; node gravio.mjs

Uses GRAVIO_TOKEN env var (safer than passing tokens in argv). Project identity is saved in .gravio/project.json for future runs.

Step 3

View your scorecard

Open your dashboard to review the project score, trends, and recommendations.

Open dashboard

Subsequent scans are simple: run node gravio.mjs again in the same folder.

Common questions

Can I use Gravio without coding skills?

Yes. Use the guided steps above. If commands are new to you, copy one command at a time and paste into terminal exactly as shown.

Do I need to install anything?

No. gravio.mjs is a single self-contained file with zero npm dependencies. The only requirement is Node.js 20 or newer (download here). Drop the file in any folder and run it.

What does the local scan actually look at?

It walks the target folder for evidence of secret hygiene, test signal, changelog, session notes, and git status — then encrypts and publishes to cloud. It never reads .env contents and requires folder authorization first.

How does decryption work on the dashboard?

Free tier shows generic rating only. Upgrade to Pro or Team to unlock detailed remediation guidance and full decryptable scorecard details.

Why was I getting logged out?

Switching between domains can break session continuity. We now keep onboarding and auth on gravio.dev to keep sessions stable.