vulnlog modify add
Adds a new vulnerability entry to one or more Vulnlog files, or prints the entry to STDOUT when no file is given. This records a finding from the command line instead of editing the YAML by hand.
vulnlog modify add [<file...>] --vuln-id <id> [flags]
| Flag | Description |
|---|---|
|
Vulnerability ID for the new entry. Required. |
|
Common name for the vulnerability (e.g. Log4Shell). |
|
Alternative identifier for the entry. Repeatable. |
|
Release the vulnerability affects. Repeatable. On insert, defaults to the latest release defined in the file. Must be defined in the file. |
|
Package URL (PURL) the vulnerability affects. Repeatable. |
|
Tag to attach to the entry. Repeatable. Must be defined in the file. |
|
Reporter that surfaced the vulnerability. Repeatable. Adds a report dated today for each value. |
|
Short description of the vulnerability. |
|
Analysis and rationale for the triage decision. |
|
Date the analysis was performed, formatted |
|
Triage verdict. One of |
|
Severity. One of |
|
VEX justification for a |
|
Free-text comment stored with the entry. |
The positional arguments are the target files; repeat them to add the same entry to several files in one invocation.
When no file is given, the entry is written to STDOUT instead, ready to paste under a vulnerabilities list.
A new entry carries no verdict unless you pass --verdict, so it starts under investigation by default.
When writing to a file, the whole file is rewritten in the canonical style, exactly as fmt would format it. Any valid YAML layout is accepted as input. YAML comments are not preserved; the command warns when it drops them.
The --verdict, --severity, and --justification values are written exactly as given and are not cross-checked, so an inconsistent combination (for example affected together with a justification) is accepted here and reported later by validate.
If an entry with the same id already exists in a target file, it is updated in place rather than duplicated.
The update favours adding over replacing:
-
List fields (
--alias,--release,--package,--tag) are added to the existing values; nothing is removed. -
reportsare merged by reporter: each--reporterappends a report for a new reporter or sets the date to today for one that already exists. -
Scalar fields (
--name,--description,--analysis,--analyzed-at,--verdict,--severity,--justification,--comment) overwrite the existing value when supplied, and are left untouched when omitted. -
resolutionis never changed by this command. -
The entry keeps its position in the file.
Releases and tags must already be defined in the file; otherwise the command fails without writing changes.
Example
vulnlog modify add vulnlog.yaml --vuln-id CVE-2026-1234 --reporter trivy
Added to vulnlog.yaml: CVE-2026-1234
The entry is inserted at the top of the vulnerabilities list:
- id: CVE-2026-1234
releases: [1.0.0]
packages: []
reports:
- reporter: trivy
at: 2026-06-02
vulnlog modify add vulnlog.yaml --vuln-id CVE-2026-1234 --package pkg:npm/example-lib@2.3.0
Updated in vulnlog.yaml: CVE-2026-1234
vulnlog modify add --vuln-id CVE-2026-1234
- id: CVE-2026-1234
releases: []
packages: []
reports: []