Vulnlog Overview

Vulnlog is a developer-oriented approach to software supply chain security. It pairs a YAML file format with a CLI that turns the file into software composition analysis (SCA) scanner ignore files and vulnerability reports. The CLI is designed to run in CI pipelines and on developer machines.

How Vulnlog works: scanner reports a finding, engineer analyses the impact, Vulnlog generates report and ignore files

Vulnlog is open source, hosted on GitHub and licensed under Apache 2.0. Contributions, bug reports, and feature requests are welcome.

Vulnlog Workflow

Vulnlog is designed around the SCA scanning process:

  1. An SCA scanner — for example, Cargo Audit, Snyk, or Trivy — scans the project and reports one or more vulnerabilities.

  2. An engineer analyses each report, decides whether it affects the project, and records the analysis, verdict, and next steps in the Vulnlog YAML file.

    Vulnerability entry for CVE-2026-1234 that was reported by Trivy but does not affect the product.
      - id: CVE-2026-1234
        description: Remote code execution in example-lib
        releases: [1.0.0]
        packages: ["pkg:npm/example-lib@2.3.0"]
        reports:
          - reporter: trivy
        analysis: >-
          The vulnerable code path is not reachable in our application because we only use the safe subset of the API.
        verdict: not affected
        justification: vulnerable code not in execute path
  3. The Vulnlog CLI reads the YAML file, validates it, and generates reports, suppression files, or both.

Next steps