v1.3.0

vulners-cli v1.3.0

Feature release with host scanning — scan local and remote hosts (Linux & Windows) for known vulnerabilities directly from the CLI.

New features

Host scanning

• vulners scan host — new command to scan local or remote hosts for known vulnerabilities
• Local scanning — vulners scan host local detects the OS, gathers installed packages, and audits them against the Vulners database
• SSH remote scanning — vulners scan host ssh://user@hostname connects to Linux hosts via SSH with key, agent, or password authentication
• WinRM remote scanning — vulners scan host winrm://admin@host connects to Windows hosts via WinRM (HTTP) or WinRMs (HTTPS)
• OS fingerprinting — automatic detection of Debian/Ubuntu, RHEL/CentOS/Fedora/Rocky/Alma, Alpine, SUSE, and Windows families via /etc/os-release and WMI
• Package inventory — dpkg, rpm, apk, and Windows HotFix (KB) collection
• Authentication options — --identity-file, --password-env, --ask-pass, --insecure, and --timeout flags
• Context cancellation — SSH sessions respect context deadlines with proper signal propagation

CI/CD documentation

• Split CI/CD guide into dedicated GitHub Actions and GitLab CI pages with copy-paste-ready examples

Other changes

• Remove dependabot configuration

v1.2.5

vulners-cli v1.2.5

Bugfix release: CPE search now returns results, new markdown report format.

What's Changed

Fixed CPE search returning empty results

• vulners cpe chrome --vendor google returned nothing — the Vulners v4 API /api/v4/search/cpe returns data in {"result": {...}} format, but the go-vulners client expected the v3 {"result": "OK", "data": {...}} wrapper. The response was silently parsed as empty.
• Also updated the audit host command for the new v4 SoftwareAuditResult response type.

Added markdown report format

• New --output markdown / -o markdown flag for scan commands — generates a human-readable Markdown report suitable for pasting into issues, PRs, or documentation.

Tooling updates

• Updated golangci-lint to v2.9.0
• Added macOS install instructions to README

Dependency update

• Upgraded go-vulners v1.1.5 → v1.2.0 — fixes v4 response parsing for CPE search, STIX bundles, and software/host audit endpoints

v1.2.4

vulners-cli v1.2.4

Maintenance release: Go 1.26 and dependency updates.

What's Changed

Go 1.26 upgrade

• Updated Go toolchain 1.25.7 → 1.26.0 — includes the new Green Tea garbage collector (10-40% less GC overhead), stricter url.Parse validation, and new() expression syntax

Dependency updates

• Updated all direct and transitive dependencies to latest versions, including grpc 1.79.1, protobuf 1.36.11, cloud.google.com/go/storage 1.60, otel 1.40, and ~90 other transitive bumps

v1.2.3

vulners-cli v1.2.3

Bugfix release: Linux audit now works correctly for Debian-based distributions.

What's Changed

Fixed Linux audit for deb-based distros

• vulners audit linux always failed for Ubuntu/Debian — the Vulners API requires packages in name version arch format (three space-separated fields) for deb-based distributions, but the CLI was sending only name version. The API returned a generic error with no details, making it hard to diagnose.
• Added automatic architecture detection for deb-based distros (ubuntu, debian, kali, mint, etc.) — if the user passes --pkg openssl=3.0.2, the CLI now correctly sends openssl 3.0.2 amd64 to the API.
• New --arch flag allows overriding the default architecture when auditing a remote system.
• RPM-based distros (centos, rhel, fedora, etc.) are unaffected and continue to work with name version format.

Dependency update

• Upgraded go-vulners v1.1.4 → v1.1.5

v1.2.2

vulners-cli v1.2.2

Bugfix release: AI score now correctly populated in scan results.

What's Changed

Fixed AI score extraction

• AI score was always 0 in scan findings — the SBOMAudit API returns the Vulners AI score inside enchantments.score.value, not in the top-level aiScore field. Updated convertSBOMFindings to extract the score from enchantments.score (with fallback to aiScore)
• CVE-2023-45853 now correctly shows aiScore: 9.7 instead of 0

Dependency update

• Upgraded go-vulners v1.1.3 → v1.1.4 — adds GetEnchantmentsScore() helper and aligns AIScore struct fields (Value/Uncertainty) with the actual API response format

v1.2.1

vulners-cli v1.2.1

Maintenance release: syft is now embedded as a Go library — no external binary required for image scanning.

What's Changed

Embedded syft library

• vulners scan image no longer requires an external syft binary — SBOM generation now happens in-process using anchore/syft v1.42.0 as a Go library
• Replaced exec.Command("syft", ...) subprocess with syft.GetSource() → syft.CreateSBOM() → CycloneDX JSON encoder pipeline
• Zero-install image scanning: go install or a single binary is all you need

Doctor & MCP cleanup

• vulners doctor no longer checks for external syft in PATH (not needed)
• MCP doctor tool description updated accordingly

README updates

• Removed "(requires syft)" from image scanning documentation
• Added sections for autocomplete, VScanner, webhooks, subscriptions, reports, MCP server, diagnostics, and agent mode

v1.2.0

vulners-cli v1.2.0

Feature release with new commands, Trivy-competitive image scanning, MCP server, and quality improvements.

New features

Image scanning improvements

• Hybrid image scanning — vulners scan image now routes OS packages (apk/deb/rpm) through LinuxAudit API for distro-aware matching, and application packages through SBOMAudit API for richer findings (CVSS, EPSS, AIScore, exploit info)
• Distro auto-detection — automatically extracts OS distribution from CycloneDX SBOM metadata; override with --distro alpine/3.18
• Image metadata — JSON output now includes imageMeta with distro info, package breakdown, and audit mode

MCP server

• vulners mcp — built-in Model Context Protocol server exposing Vulners tools to AI agents (search, CVE lookup, CPE search, SBOM audit, scan)

VScanner integration

• vulners vscan — manage Vulners VScanner projects, tasks, and vulnerability scans with full lifecycle support (create, list, start, stop, results)

Webhooks & subscriptions

• vulners webhook — manage webhooks (list, add, read, enable/disable, delete)
• vulners subscription — manage vulnerability subscriptions (list, create, update, enable/disable, delete)

Reporting & dashboards

• vulners report — vulnerability summary, vulnerability list, host vulnerabilities, scan history, and IP summary reports

Developer experience

• vulners doctor — environment health check (API key, connectivity, syft, govulncheck, offline cache)
• vulners autocomplete — generate shell completions for bash, zsh, fish
• vulners suggest — search query suggestions
• vulners spec — print OpenAPI-style command specification (JSON)
• vulners schema — print JSON schema for scan output

Output & agent support

• --agent flag — structured JSON output with deterministic sort, quiet logging, no color
• --fields — project specific fields from JSON output (e.g. --fields findings.vulnID,findings.severity)
• --summary-only — compact output with summary + top 5 findings
• --max-findings — truncate findings with total count preserved
• --plan — dry-run mode showing what a scan would do
• CycloneDX VEX and HTML output formats

Fixes

Security & correctness

• Fail-closed on total lookup failure — both online matcher and offline scan now return an error when all component lookups fail, preventing silent false negatives (exit 0 with empty findings)
• VEX suppression priority — primary VulnID status now takes priority over alias status; aliases are only consulted when the primary ID has no VEX statement
• Vulners query escaping — special characters (:, (, ), [, ]) are now properly escaped in search queries to prevent syntax errors
• CVSS3 score handling — CVSS3 score of 0 no longer falls through to CVSS2, ensuring correct severity when CVSS3 is present
• Pagination input validation — limit clamped to [1, 1000] and offset to >= 0, preventing negative values from reaching SQL/API calls

Reliability

• Search limit — increased from 20 to 100 bulletins per component to avoid missing vulnerabilities for popular packages
• Config error reporting — malformed YAML config file now returns an error instead of silently logging a warning
• Component normalization — TrimSpace applied to name, version, and type to prevent whitespace mismatches
• topNFindings sort — now correctly ranks by severity then CVSS (not severity then VulnID), so top findings reflect actual risk
• Log level precedence — fixed edge case where neither --quiet nor --verbose could leave log level unset
• captureStdout safety — test helper now uses defer to restore os.Stdout even on panic
• Deduplicated CycloneDX parsing — SBOM file parsing now shares the same code path as image scanning, gaining distro detection and ecosystem tagging

Architecture

• CLI framework: Kong (struct-based, testable)
• Dependency injection: Uber Fx
• Configuration: Koanf v2 (YAML + env vars + CLI flags)
• Offline cache: SQLite via modernc.org/sqlite (pure Go, zero CGO)
• Intel backend: go-vulners v1.1.3

v1.0.1

vulners-cli v1.0.1

Maintenance release with richer vulnerability data, deduplication, and CI hardening.

What's Changed

Richer vulnerability findings

• API queries now request all useful Bulletin fields (EPSS, AI score, references, affected software, etc.)
• Search, GetBulletin, SearchExploits, and GetMultipleBulletins all return full field data

Deduplicated scan logic

• Extracted BulletinToFinding converter — single source of truth for Bulletin → Finding mapping
• Unified scanComponents pipeline shared by scan repo, scan dir, and scan image commands
• Offline scan results are now deduplicated by VulnID + ComponentRef
• enrichFinding reuses BulletinToFinding instead of duplicating field extraction

Improved error handling

• generateUUID in CycloneDX reporter now propagates crypto/rand errors instead of silently ignoring them
• SARIF reporter returns a proper error on malformed scan output instead of silently producing empty results

CI & dependency updates

• Pinned GitHub Actions to v6 (actions/checkout, actions/setup-go)
• Pinned golangci-lint to v2.1.6, govulncheck to v1.1.4, gofumpt to v0.7.0
• CI now reads Go version from go.mod instead of using matrix / stable
• Updated go.yaml.in/yaml/v3 to v3.0.4
• Go version bumped to 1.25.7

Housekeeping

• Added README badges

v1.0.0

vulners-cli v1.0.0

Go-based CLI vulnerability scanner powered by Vulners.

Features

Intel commands

• vulners search — search the Vulners database (full-text and exploits-only)
• vulners cve — CVE lookup with optional references and change history
• vulners cpe — search by CPE product/vendor
• vulners stix — export STIX bundles by bulletin ID or CVE

Audit commands

• vulners audit linux — audit Linux distribution packages
• vulners audit windows — audit Windows KB updates
• vulners audit host — host package audit (v4 API)
• vulners audit winaudit — full Windows audit (KBs + software)

Scan commands

• vulners scan repo — scan Go repositories (reachability-aware via govulncheck)
• vulners scan dir — scan directories for package manifests (Go, npm, pip)
• vulners scan sbom — scan CycloneDX and SPDX SBOMs
• vulners scan image — scan container images (requires syft)

Offline mode

• vulners offline sync — sync vulnerability data for air-gapped use (delta + full)
• vulners offline status — show cache metadata
• vulners offline purge — clear local database
• --offline flag for scan, search, CVE, and CPE commands

Output formats

• JSON (default), table, SARIF, HTML, CycloneDX VEX

Policy engine

• --fail-on severity threshold (low / medium / high / critical)
• --ignore CVE suppression (repeatable)
• --vex OpenVEX document ingestion

Architecture

• CLI framework: Kong (struct-based, testable)
• Dependency injection: Uber Fx
• Configuration: Koanf v2 (YAML + env vars + CLI flags)
• Offline cache: SQLite via modernc.org/sqlite (pure Go, zero CGO)
• Intel backend: go-vulners v1.1.3