Documentation
Complete reference for all Vulnetix CLI commands, flags, and usage patterns.
Complete reference for all Vulnetix CLI commands, flags, and usage patterns.
Run vulnerability management tasks against the Vulnetix backend.
vulnetix
The root command runs an authentication healthcheck.
| Task | Description |
|---|---|
info (default) | Authentication healthcheck across all credential sources |
Global Flags:
| Flag | Type | Description |
|---|---|---|
--org-id | string | Organization ID (UUID) |
--api-key | string | Direct API key (overrides VULNETIX_API_KEY) |
--help | - | Help for any command |
Manage authentication credentials for the Vulnetix API.
vulnetix auth [login|status|verify|logout] [flags]
Authenticate with Vulnetix. Interactive by default when run in a terminal.
# Interactive login (prompts for method, org ID, key, storage)
vulnetix auth login
# Non-interactive login with Direct API Key
vulnetix auth login --org-id <UUID> --api-key <KEY> --store home
# Non-interactive login with SigV4
vulnetix auth login --org-id <UUID> --secret <KEY> --store project
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--method | string | auto | Authentication method: apikey or sigv4 (auto-detected from flags if omitted) |
--org-id | string | - | Organization ID (UUID) |
--api-key | string | - | Direct API key (hex) |
--secret | string | - | SigV4 secret key |
--store | string | home | Credential storage location: home, project, keyring |
Running vulnetix auth without a subcommand also triggers login.
Show current authentication state, including the credential source, method, and masked key.
vulnetix auth status
Verify that stored credentials can authenticate with the Vulnetix API. Does not modify credentials.
# Verify stored credentials
vulnetix auth verify
# Verify with explicit API endpoint
vulnetix auth verify --base-url https://app.vulnetix.com/api
Remove stored credentials from all file-based stores.
vulnetix auth logout
Upload a security artifact file (SBOM, SARIF, VEX, CSAF) to Vulnetix for processing.
vulnetix upload --file <path> [flags]
The file format is auto-detected from content and extension but can be overridden. Files larger than 10MB are uploaded using chunked transfer. Authentication uses stored credentials or environment variables.
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--file | string | - | Path to artifact file to upload (required) |
--org-id | string | stored | Organization ID (UUID, uses stored credentials if not set) |
--base-url | string | https://app.vulnetix.com/api | Base URL for Vulnetix API |
--format | string | auto | Override auto-detected format: cyclonedx, spdx, sarif, openvex, csaf_vex |
--json | bool | false | Output result as JSON |
Examples:
# Upload with stored credentials
vulnetix upload --file sbom.cdx.json
# Upload with explicit org ID
vulnetix upload --file report.sarif --org-id "123e4567-e89b-12d3-a456-426614174000"
# Override format detection
vulnetix upload --file report.json --format sarif
# JSON output for scripting
vulnetix upload --file sbom.cdx.json --json
GitHub Actions artifact management. Designed for use within GitHub Actions workflows.
Collect and upload all artifacts from the current GitHub Actions workflow run to Vulnetix.
vulnetix gha upload [flags]
This command:
Requires: GITHUB_TOKEN, GITHUB_REPOSITORY, GITHUB_RUN_ID environment variables.
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--org-id | string | stored | Organization ID (UUID); uses stored credentials if not set |
--base-url | string | https://app.vulnetix.com/api | Base URL for Vulnetix API |
--json | bool | false | Output results as JSON |
Check the processing status of uploaded artifacts by transaction ID or artifact UUID.
vulnetix gha status --txnid <ID>
vulnetix gha status --uuid <UUID>
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--txnid | string | - | Transaction ID to check status |
--uuid | string | - | Artifact UUID to check status |
--org-id | string | stored | Organization ID (UUID); uses stored credentials if not set |
--base-url | string | https://app.vulnetix.com/api | Base URL for Vulnetix API |
--json | bool | false | Output results as JSON |
Analyze package licenses for conflicts, policy compliance, and risk. See the full License Command Reference for details.
vulnetix license [flags]
| Flag | Default | Description |
|---|---|---|
--path | . | Directory to scan |
--depth | 3 | Max recursion depth |
--exclude | - | Exclude paths matching glob (repeatable) |
--mode | inclusive | Analysis mode: inclusive or individual |
--allow | - | Comma-separated allow list of SPDX IDs |
--allow-file | - | Path to YAML allow list file |
-o, --output | pretty | Output format: json (CycloneDX), json-spdx (SPDX 2.3) |
--results-only | false | Only show output when there are findings or conflicts |
--severity | - | Exit 1 if any finding meets or exceeds: low, medium, high, critical |
--from-memory | false | Reconstruct from .vulnetix/memory.yaml without re-scanning |
--dry-run | false | Detect files and parse packages only — no evaluation |
License analysis also runs automatically during
vulnetix scan(disable with--no-licenses).
Walk the local directory tree, parse package manifests, and query the VDB for vulnerabilities — no files are uploaded. See the full Scan Command Reference for details.
vulnetix scan [flags]
vulnetix scan status <scan-id> [flags]
| Flag | Default | Description |
|---|---|---|
--path | . | Directory to scan |
--depth | 3 | Max recursion depth |
--exclude | - | Exclude paths matching glob (repeatable) |
-o, --output | - | Output target (repeatable): json-cyclonedx, json-sarif for stdout; .cdx.json, .sarif file paths to write to file |
--concurrency | 5 | Max concurrent VDB queries |
--no-progress | false | Suppress progress indicators |
--severity | - | Exit 1 if any vuln or SAST finding meets or exceeds: low, medium, high, critical |
--block-malware | false | Exit 1 when any dependency is a known malicious package |
--block-eol | false | Exit 1 when a runtime or package dependency is end-of-life |
--results-only | false | Only output when findings exist; completely silent when the scan is clean |
--evaluate-sast / --no-sast | - | Enable/disable SAST (general static analysis rules) |
--evaluate-sca / --no-sca | - | Enable/disable SCA (package manifest vulnerability analysis) |
--evaluate-licenses / --no-licenses | - | Enable/disable license analysis |
--evaluate-secrets / --no-secrets | - | Enable/disable secret-detection rules |
--enable-containers / --no-containers | - | Enable/disable container file analysis |
--evaluate-iac / --no-iac | - | Enable/disable IaC file analysis |
--disable-default-rules | false | Skip built-in SAST rules (external --rule repos still loaded) |
-R, --rule | - | External SAST rule repo in org/repo format (repeatable) — see Custom Rule Repositories |
--dry-run | false | Detect files and parse packages only — zero API calls |
--from-memory | false | Reconstruct from .vulnetix/sbom.cdx.json without API calls |
Run only Software Composition Analysis — vulnerability analysis on package manifests. All other features (SAST, licenses, secrets, containers, IaC) are disabled. See the SCA Command Reference.
vulnetix sca [flags]
Equivalent to vulnetix scan --evaluate-sca --no-sast --no-secrets --no-containers --no-iac --no-licenses.
Run only Static Application Security Testing. All other features are disabled. See the SAST Command Reference.
vulnetix sast [flags]
Equivalent to vulnetix scan --evaluate-sast --no-sca --no-secrets --no-containers --no-iac --no-licenses.
Run only secret detection — identifies hardcoded credentials, API keys, and tokens. All other features are disabled. See the Secrets Command Reference.
vulnetix secrets [flags]
Equivalent to vulnetix scan --evaluate-secrets --no-sast --no-sca --no-containers --no-iac --no-licenses.
Run only container file analysis — checks Dockerfiles and Containerfiles. All other features are disabled. See the Containers Command Reference.
vulnetix containers [flags]
Equivalent to vulnetix scan --enable-containers --no-sast --no-sca --no-secrets --no-iac --no-licenses.
Run only Infrastructure as Code analysis — checks Terraform HCL and Nix files. All other features are disabled. See the IaC Command Reference.
vulnetix iac [flags]
Equivalent to vulnetix scan --evaluate-iac --no-sast --no-sca --no-secrets --no-containers --no-licenses.
Fetch vulnerability alerts from external providers (e.g. GitHub Dependabot) and enrich them with remediation intelligence from the Vulnetix VDB.
vulnetix triage [flags]
vulnetix triage status [flags]
Supported providers: github (Dependabot alerts via the gh CLI)
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--provider | string | github | Vulnerability data provider (github) |
--repo | string | auto | Repository in owner/repo format (auto-detected from git context or GITHUB_REPOSITORY) |
--all | bool | false | Include dismissed alerts (open only by default) |
--concurrency | int | 5 | Number of concurrent VDB lookups |
--format | string | tui | Output format: tui, json, text |
--include-guidance | bool | true | Include CWE remediation guidance |
For each alert the triage command fetches:
Subcommands:
Verify that provider CLI tools are installed, authenticated, and functional.
vulnetix triage status [--format text|json]
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--format | string | text | Output format: text, json |
Examples:
# Interactive TUI (default)
vulnetix triage
# Triage a specific repository
vulnetix triage --repo owner/repo
# Include dismissed alerts, output as JSON
vulnetix triage --all --format json
# Check GitHub CLI auth and repo detection
vulnetix triage status
# Check status as JSON
vulnetix triage status --format json
Prerequisites: The
githubprovider requires theghCLI to be installed and authenticated (gh auth login).
Interact with the Vulnetix Vulnerability Database (VDB) API. See the full VDB Command Reference for all subcommands and detailed usage.
vulnetix vdb <subcommand> [flags]
| Subcommand | Description |
|---|---|
vuln <vuln-id> | Get information about a vulnerability (CVE, GHSA, PYSEC, and 75+ formats) |
ecosystems | List available package ecosystems |
product <name> [version] [ecosystem] | Get product version information |
vulns <package> | Get vulnerabilities for a package |
spec | Get the OpenAPI specification |
exploits <vuln-id> | Get exploit intelligence for a vulnerability |
exploits search | Search exploits across all vulnerabilities |
exploits sources | List exploit intelligence sources |
exploits types | List exploit type classifications |
fixes <vuln-id> | Get fix data for a vulnerability |
fixes distributions | List supported Linux distributions for fix advisories |
versions <package> | Get all versions of a package across ecosystems |
gcve | Get vulnerabilities by date range |
gcve issuances | List GCVE issuance identifiers by calendar month |
purl <purl-string> | Query VDB using a Package URL (PURL) |
ids <year> <month> | List CVE identifiers published in a calendar month |
search <prefix> | Search CVE identifiers by prefix |
sources | List all vulnerability data sources |
metrics types | List all vulnerability metric/scoring types |
status | Check API health and display CLI/auth metadata |
packages search <query> | Full-text search across packages |
ecosystem package <eco> <pkg> | Get package info within an ecosystem |
ecosystem group <eco> <grp> <art> | Get group/artifact info (Maven-style) |
eol product <product> | Get end-of-life lifecycle data for a product (runtime, framework) |
eol package <eco> <pkg> <ver> | Get end-of-life lifecycle data for a specific package version |
V2-only subcommands — the v2 API is now the default; -V v1 is the legacy override:
| Subcommand | Description |
|---|---|
workarounds <vuln-id> | Get workaround information |
advisories <vuln-id> | Get advisory data |
cwe guidance <vuln-id> | Get CWE-based guidance |
kev <vuln-id> | Get CISA KEV status |
timeline <vuln-id> | Get vulnerability timeline |
affected <vuln-id> | Get affected products/packages |
scorecard <vuln-id> | Get vulnerability scorecard |
remediation plan <vuln-id> | Get context-aware remediation plan |
vulnetix vdb vuln and the remediation flows automatically perform tree-sitter reachability analysis against your project, recording exactly which files (and line ranges) match the vulnerable pattern. Control with --reachability=direct|transitive|both|off (default both). See the Reachability Analysis section for the full feature overview, Languages for the 17 bundled grammars, and Internals for how the CGo cross-compile is structured.
Print the version number of Vulnetix CLI.
vulnetix version [flags]
Also checks for available updates and prints a notice if a newer version exists.
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--short | bool | false | Print only the version number (no build info or update check) |
Examples:
# Full version info (with update check)
vulnetix version
# Just the version number, e.g. for scripting
vulnetix version --short
Update the Vulnetix CLI to the latest release from GitHub.
vulnetix update
Checks the GitHub Releases API for the latest version, then downloads and replaces the current binary in-place. Binaries built from source (via go build or make dev) are not updated — use your build toolchain instead.
Behavior:
Already up to date (vX.Y.Z).go build should be usedExamples:
# Check for and apply the latest update
vulnetix update
Triage vulnerability alerts from multiple providers (e.g. GitHub Dependabot) with integrated remediation intelligence from the Vulnetix Vulnerability Database.
vulnetix triage [flags]
vulnetix triage status # Check provider CLI health
The triage command fetches vulnerability alerts from external providers, enriches each alert with VDB data (remediation plans, fix availability across registry/distribution/source), and presents them in an interactive TUI or text/JSON output.
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--provider | string | github | Vulnerability data provider |
--repo | string | auto-detected | Repository in owner/repo format |
--all | bool | false | Include dismissed alerts (open only by default) |
--concurrency | int | 5 | Number of concurrent VDB lookups |
--format | string | tui | Output format: tui, json, text |
--include-guidance | bool | true | Include CWE remediation guidance |
--org-id | string | community | Organization ID (uses stored credentials or community fallback) |
Examples:
# Interactive TUI with auto-detected repo
vulnetix triage
# Specify a repo and include dismissed alerts
vulnetix triage --repo owner/repo --all
# Non-interactive text output
vulnetix triage --format text
# JSON output for scripting
vulnetix triage --repo owner/repo --format json
# Check provider CLI health
vulnetix triage status
Verify that provider CLI tools (e.g. gh) are installed, authenticated, and can detect the current repository.
# Text output (default)
vulnetix triage status
# JSON output for scripting
vulnetix triage status --format json
Flags:
| Flag | Type | Default | Description |
|---|---|---|---|
--format | string | text | Output format: text, json |
--provider | string | github | Vulnerability data provider |
Output (text):
GitHub CLI Status
──────────────────────────────────────────
✔ gh binary : /usr/bin/gh
✔ authenticated: octocat
Host : github.com
Token source : OAuth Token
Token scopes : repo, workflow
✔ repo detected : owner/repo
Generate shell autocompletion scripts.
vulnetix completion [bash|zsh|fish|powershell]
Vulnetix CLI supports two authentication methods:
Uses VULNETIX_API_KEY and VULNETIX_ORG_ID environment variables, or stored credentials with --method apikey.
Uses VVD_ORG and VVD_SECRET environment variables, or stored credentials with --method sigv4. SigV4 authenticates via a JWT token exchange with the VDB API.
Credentials are stored as JSON in one of two locations:
| Store | Path | Use Case |
|---|---|---|
home (default) | ~/.vulnetix/credentials.json | User-wide credentials |
project | .vulnetix/credentials.json | Project-specific credentials |
keyring | System keyring | Secure OS-level secret storage (not yet implemented) |
The CLI loads credentials in this order (first match wins):
--org-id + --api-key or --secretVULNETIX_API_KEY + VULNETIX_ORG_ID (Direct API Key)VVD_ORG + VVD_SECRET (SigV4).vulnetix/credentials.json~/.vulnetix/credentials.jsonThese flags are available on the root command and inherited by subcommands:
| Flag | Type | Required | Default | Description |
|---|---|---|---|---|
--org-id | string | No | stored | Organization ID (UUID); uses stored credentials if not set |
--help | - | No | - | Help for any command |
| Variable | Description | Used By |
|---|---|---|
VULNETIX_API_KEY | Direct API key (hex digest) | auth, upload, vdb, triage |
VULNETIX_ORG_ID | Organization ID for Direct API Key auth | auth, upload, vdb, triage |
VVD_ORG | Organization UUID for SigV4 auth | vdb, auth |
VVD_SECRET | Secret key for SigV4 auth | vdb, auth |
GITHUB_TOKEN | GitHub API token (also used for license resolution fallback) | gha upload, license, scan |
GH_TOKEN | Alternative GitHub token variable (checked if GITHUB_TOKEN is not set) | license, scan |
GITHUB_REPOSITORY | GitHub repository (owner/name) | gha upload, triage (auto-detect) |
GITHUB_RUN_ID | GitHub Actions workflow run ID | gha upload |
GITHUB_API_URL | GitHub API base URL (default: https://api.github.com) | gha upload |
GITHUB_ACTIONS | Set to true in GitHub Actions | gha upload |
| Code | Description |
|---|---|
0 | Success |
1 | General error |
2 | Invalid arguments |
3 | Authentication error |
4 | Network error |
5 | File not found |
# Run authentication healthcheck
vulnetix
# Upload an SBOM
vulnetix upload --file sbom.cdx.json
# Upload SARIF from a scanner
semgrep --sarif > results.sarif && vulnetix upload --file results.sarif
# Upload via the upload command with format override
vulnetix upload --file report.json --format sarif --json
# GitHub Actions
vulnetix gha upload --org-id "$VULNETIX_ORG_ID"
# GitLab CI
vulnetix upload --file results.sarif
# Jenkins
vulnetix upload --file results.sarif