Track vulnerability findings in your repository
Supply chain security, as code.
Vulnlog is an open-source CLI tool that gives teams a single source of truth for SCA vulnerability triage. Analyze findings, document verdicts and team decisions, generate suppression files and HTML reports — all from YAML files in the repository.
How it works
1. Scanner reports a finding
Your SCA scanner (Trivy, Snyk, etc.) detects a vulnerability in a dependency.
2. You analyse and document
Record your verdict, justification, and analysis in a .vl.yaml file alongside your
code.
3. Generate outputs
Use the CLI or Gradle plugin to validate files, generate scanner suppressions, and produce HTML reports.
Features
Git-native workflow
Vulnerability records live in YAML files in your repository. Review them in PRs, track changes in git history, and keep everything close to the code.
VEX-aligned verdicts
Use standardised verdicts (affected, not affected,
risk acceptable) and VEX justifications to document your analysis.
Scanner suppression
Generate suppression files for Trivy, Snyk, and a generic format directly from your Vulnlog entries. Stop maintaining suppression configs by hand.
Multi-release tracking
Track vulnerabilities across multiple product releases. Filter by release, tag, or reporter to get the view you need.
Schema validation
Vulnlog files are validated against a JSON Schema. Add a
$schema
comment for IDE autocompletion, and catch errors early with vulnlog validate in CI.
Runs where you build
Ship a single binary with no runtime dependencies, or integrate Vulnlog as a Gradle plugin. Also available as a JVM distribution or Docker image.
Get started in seconds
Install Script
Homebrew (macOS)
Docker
Gradle plugin
Prefer a native binary or JVM distribution? See all installation options.
Ready to streamline your vulnerability management?
Vulnlog is free and open source under the Apache 2.0 license.