This document describes how to configure procscope and the various output formats it provides.
| Flag | Short | Description | Default |
|---|---|---|---|
--pid |
-p |
Attach to existing PID | — |
--name |
-n |
Attach by process name | — |
--out |
-o |
Evidence bundle directory | — |
--jsonl |
JSONL output file | — | |
--summary |
Markdown summary file | — | |
--no-color |
Disable ANSI colors | false | |
--quiet |
-q |
Suppress live timeline | false |
--max-args |
Max argv elements | 64 | |
--max-path |
Max path string length | 4096 | |
--skip-checks |
Skip privilege checks | false |
Compact, color-coded terminal output during investigation:
TIME PID COMM EVENT DETAILS
[+ 0ms] 1234 suspicious process.exec /tmp/suspicious-binary
[+ 12ms] 1234 suspicious file.open /etc/passwd [read]
[+ 15ms] 1234 suspicious net.connect ipv4 → 93.184.216.34:443
[+ 18ms] ! 1234 suspicious priv.setuid uid 1000 → 0
[+ 20ms] 1235 sh process.exec /bin/sh
[+ 25ms] 1235 sh process.exit exit_code=0
[+ 30ms] 1234 suspicious process.exit exit_code=0
Machine-readable, one event per line:
procscope --jsonl events.jsonl -- ./commandStructured directory for incident response:
case-001/
├── metadata.json # Investigation metadata
├── events.jsonl # Complete event stream
├── process-tree.txt # Human-readable process tree
├── files.json # File activity summary
├── network.json # Network activity summary
├── notable.json # Security-relevant events
└── summary.md # Markdown executive summary
Team-ready report with overview, process tree, event breakdown, file/network activity tables, notable events, and honest limitations.