opena2a review
Unified security review dashboard. Runs multiple analysis phases and generates an interactive HTML report.
Usage
opena2a review [options]Description
Executes five analysis phases in sequence: project scan, credential scan, guard verification, shield analysis, and HMA scan (optional). Results are combined into a composite score using weighted factors: trust (30%), credentials (20%), guard integrity (15%), shield status (25%), and HMA findings (10%). The report shows a recovery path indicating how the score improves when specific issues are resolved (for example, "27 -> 71 by fixing credentials").
By default, the generated HTML report opens automatically in the default browser. Use --no-open to suppress this behavior.
Flags
| Flag | Description |
|---|---|
--dir <path> | Target directory to review (default: current directory). |
--report <path> | Custom path for the generated HTML report file. |
--no-open | Do not auto-open the report in the browser. |
--skip-hma | Skip the HMA scan phase (useful when hackmyagent is not installed). |
--format <text|json> | Output format for console summary. |
--ci | CI mode with deterministic output and exit codes. |
--verbose | Show detailed output for each phase. |
Scoring Weights
| Phase | Weight |
|---|---|
| Trust (project scan) | 30% |
| Credentials | 20% |
| Guard (ConfigGuard) | 15% |
| Shield | 25% |
| HMA (HackMyAgent) | 10% |
Examples
opena2a reviewopena2a review --skip-hma --report ./security-report.htmlopena2a review --ci --format json --no-openThe 5 Phases
The review command executes each phase sequentially. If a phase encounters an error, it records a zero score for that phase and continues to the next. This ensures you always get results even if one subsystem is not configured.
- Project Scan (Trust, 30%) -- Runs the same assessment as
opena2a init. Checks project structure, governance files, identity presence, and tool configuration. - Credential Scan (20%) -- Scans for hardcoded credentials, exposed API keys, and .env files that should be gitignored. Uses the same engine as
opena2a protect. - Guard Verification (15%) -- Checks ConfigGuard status: how many config files are signed, whether any show tampering (hash mismatch), and the enforcement policy mode.
- Shield Analysis (25%) -- Evaluates the Shield orchestration layer: initialization state, active protections, session tracking, event logging, and LLM analysis status.
- HMA Scan (10%) -- Runs HackMyAgent security checks if available. Skippable with
--skip-hmawhen HackMyAgent is not installed.
Expected Output
$ opena2a review Security Review Dashboard ========================== Phase 1/5: Project Scan .............. 65/100 Phase 2/5: Credential Scan .......... 40/100 Phase 3/5: Guard Verification ....... 80/100 Phase 4/5: Shield Analysis .......... 70/100 Phase 5/5: HMA Scan ................. 85/100 Composite Score: 63/100 Recovery Path: 63 -> 79 Fix 2 exposed credentials (+16) 79 -> 87 Add SOUL.md governance (+8) 87 -> 93 Initialize Shield protections (+6) HTML Report: ./opena2a-review-report.html (opening in browser...)
HTML Report
The generated HTML report is a self-contained, interactive file that includes expandable sections for each phase, detailed findings with severity levels, and a visual recovery path chart. The report does not require a web server -- it can be opened directly from the filesystem. Use --reportto specify a custom output path, or --no-open to prevent automatic browser launch (useful in CI environments or SSH sessions).
Error Handling
In CI mode (--ci), the command exits with code 1 if the composite score falls below 50. Individual phase failures do not cause a non-zero exit -- only the aggregate score matters. If all five phases fail or cannot run, the composite score is 0 and the exit code is 1. The --skip-hmaflag redistributes the HMA weight across the other four phases proportionally.