This guide walks you through installing dobbe, running the setup wizard, and executing your first scan and review.
Before installing dobbe, ensure you have:
Optional but recommended:
gh CLI fallback)pip install dobbe
pipx install dobbe
git clone https://github.com/nareshnavinash/dobbe.git
cd dobbe
pip install -e ".[dev]"
Run the interactive setup wizard:
dobbe setup
The wizard walks through 5 steps:
Checks that the claude binary is installed and on your PATH. If not found, the wizard provides installation instructions.
Verifies that Claude Code is authenticated by running a test prompt. If authentication fails, guides you through claude auth.
Scans your ~/.claude/settings.json for configured MCP servers. Reports which integrations are available (GitHub, Slack, Atlassian, Sentry, Figma).
Prompts for your default GitHub organization. This is saved to your config and used as the default context for commands that need it.
Scans common project directories (~/projects, ~/code, ~/src, etc.) for local git repositories. Found repos are saved to config for faster local resolution.
After completing the steps, the wizard:
~/.dobbe/config.tomlOn first run, dobbe automatically installs its Claude Code skills into your environment. When you upgrade dobbe to a new version, skills are updated automatically to stay in sync with the package. No manual steps required.
Scan a single repository for vulnerabilities:
dobbe vuln scan --repo nareshnavinash/your-repo
Or, if you are already inside a git repository, dobbe auto-detects it from the current working directory – no --repo flag needed:
cd ~/projects/my-app
dobbe vuln scan
This fetches Dependabot alerts, triages each one with AI (is the vulnerable code path actually used?), and outputs a prioritized report.
The scan report shows:
Add --verbose to see evidence, CVE IDs, and upgrade paths:
dobbe vuln scan --repo nareshnavinash/your-repo --verbose
Get a prioritized digest of open PRs waiting for your review:
dobbe review digest --repo nareshnavinash/your-repo
With CWD auto-detect, reviewing a specific PR is even simpler:
cd ~/projects/my-app
dobbe review digest --pr 42
The digest shows each PR ranked by risk level, with security concerns, test coverage gaps, and estimated review time.
dobbe vuln resolve --repo nareshnavinash/your-repo
This runs the full agentic fix-verify loop. See vuln resolve for details.
Save scan results and resolve separately to avoid re-scanning:
dobbe vuln scan --repo nareshnavinash/your-repo --format json --output scan.json
dobbe vuln resolve --repo nareshnavinash/your-repo --from-scan scan.json
dobbe schedule add daily-scan \
--command "vuln scan" \
--args "--repo nareshnavinash/your-repo" \
--every daily
dobbe schedule install --trigger shell
See schedule for all scheduling options.
dobbe review post --repo nareshnavinash/your-repo --all
See review post for deduplication and posting details.
Edit ~/.dobbe/config.toml to set defaults for severity filters, output format, Slack channels, and more. See the configuration reference.
If something isn’t working, run diagnostics:
dobbe doctor
See doctor for details on the 9 health checks.
Dobbe covers the full engineering lifecycle. Here is a quick overview of what is available:
| Category | Commands | What it does |
|---|---|---|
| Security | dobbe audit report, dobbe scan secrets |
Audit your codebase and detect leaked secrets |
| Dependencies | dobbe deps analyze, dobbe migration plan |
Analyze dependency health and plan major upgrades |
| Testing | dobbe test gen |
Generate test cases with AI |
| Metrics | dobbe metrics velocity, dobbe metrics dora |
Track engineering velocity and DORA metrics |
| Release | dobbe changelog gen |
Generate changelogs from commit history |
| Incidents | dobbe incident triage |
Triage and analyze production incidents |
| Automation | dobbe workflow create, dobbe schedule add |
Create CI/CD workflows and scheduled tasks |
| Intelligence | dobbe insight dashboard |
Surface trends and actionable insights |
Run dobbe --help to see the full command list, or dobbe <command> --help for detailed usage on any command.