Vulnlog Documentation
Vulnlog is a developer-oriented CLI tool for supply chain security: tracking and documenting software vulnerability findings reported by SCA scanners. It uses a YAML-based format that lives in the repository alongside the code, providing a single source of truth for vulnerability management.
What Vulnlog does
-
Track SCA vulnerability findings in the repository
-
Record analysis verdicts and justifications per vulnerability
-
Generate suppression files for scanners (Trivy, Snyk, and generic format)
-
Validate Vulnlog files against the schema
-
Filter by release, tag, or reporter
Open Source
Vulnlog is open source and hosted on GitHub. Contributions, bug reports, and feature requests are welcome.
Next steps
-
Install Vulnlog and run through the Quickstart
-
Learn about the Vulnlog YAML format
-
Explore the CLI commands
-
Plan the branching strategy for single or multi-branch projects