Installation

Vulnlog can be installed and used in several ways.

Docker

A container image is published to the GitHub Container Registry on every release. The image runs as a non-root user (UID 1000) by default.

Pull version 0.14.0 Vulnlog Docker image and print the version.
docker pull ghcr.io/vulnlog/vulnlog:0.14.0
docker run --rm ghcr.io/vulnlog/vulnlog:0.14.0 --version

vulnlog version 0.14.0

Either use STDOUT, STDIN or Docker volumes to pass files into the container and get them out of it.

Print the output of vulnlog init to STDOUT with --output -.
docker run --rm ghcr.io/vulnlog/vulnlog:0.14.0 init --organization "Demo Org" --name Demo --author Me --output -
---
schemaVersion: "1"

project:
  organization: "Demo Org"
  name: "Demo"
  author: "Me"

releases: []

vulnerabilities: []
Use the Docker interactive -i flag to keep STDIN open to pass the vulnlog.yaml file into the container.
docker run --rm -i ghcr.io/vulnlog/vulnlog:0.14.0 validate - < vulnlog.yaml
Validation OK
Use Docker volumes to map a local directory into the Docker container.
docker run --rm -v "$PWD:/work" ghcr.io/vulnlog/vulnlog:0.14.0 suppress vulnlog.yaml
Suppression file created at: /work/.snyk
Suppression file created at: /work/.trivyignore.yaml

Not all Vulnlog CLI commands support the same set of input (STDIN) and output (STDOUT) capabilities. Check the corresponding command documentations for more details.

Install Script

A POSIX install script is attached to every release. It detects the current OS and architecture, downloads the matching native binary, and installs it to ~/.local/bin (or ~/bin if ~/.local/bin does not exist). Platforms without a native build (linux-aarch64, macos-amd64) automatically fall back to the JVM distribution and require Java 21 or later.

Install the latest Vulnlog release.
curl -fsSL vulnlog.dev/install | sh

To force the JVM distribution, pass --jvm:

curl -fsSL vulnlog.dev/install | sh -s -- --jvm

To uninstall, run:

curl -fsSL vulnlog.dev/uninstall | sh

A versioned copy of the same script is also attached to each GitHub release as install-vulnlog.sh and uninstall-vulnlog.sh.

Native Binary

Standalone native binaries are built with GraalVM and require no Java runtime. They start instantly and are the recommended choice for local use.

  1. Download the latest Vulnlog archive from releases page.

  2. Extract the archive.

  3. Move the vulnlog binary to a directory on PATH, for example /usr/local/bin.

  4. Verify the installation:

    vulnlog --version
vulnlog version 0.14.0

JVM Distribution

A platform-independent JVM distribution is also published on the releases page. It requires Java 21 or later to be installed.

Build from Source

Clone the repository and build with Gradle:

git clone https://github.com/vulnlog/vulnlog.git
cd vulnlog
./gradlew installDist

The resulting distribution is placed in build/install/vulnlog.