Quickstart

Creating a Vulnlog File

vulnlog init --project "My App" --organization "Acme Corp" --author "Security Team" -o my-app.vl.yaml

File Name Convention

For simple projects, vulnlog.[yaml|yml] are valid file names. For multiple Vulnlog files, use <project-name>.vl.[yaml|yml].

A Minimal Example

# $schema: https://vulnlog.dev/schema/vulnlog-v1.json
---
schemaVersion: "1"

project:
  organization: Acme Corp
  name: Acme Web App
  author: Acme Corp Security Team

releases:
  - id: 1.0.0
    published_at: 2026-01-15

vulnerabilities:

  - id: CVE-2026-1234
    releases: [ 1.0.0 ]
    description: Remote code execution in example-lib
    packages: [ "pkg:npm/example-lib@2.3.0" ]
    reports:
      - reporter: trivy
    analysis: >
      The vulnerable code path is not reachable in our application
      because we only use the safe subset of the API.
    verdict: not_affected
    justification: vulnerable_code_not_in_execute_path

IDE Setup

Vulnlog’s JSON Schema is published to SchemaStore. IDEs with YAML support can automatically provide validation and autocompletion for .vl.[yaml|yml] and vulnlog.[yaml|yml] files.

To reference a local schema, add this as the first line of your Vulnlog file:

# $schema: https://vulnlog.dev/schema/vulnlog-v1.json