Install
Vulkro is distributed as a single self-contained binary. There are no runtime dependencies, no Electron, no native deps to compile.
Vulkro is currently in beta. Expect rapid iteration and occasional rough edges. Please report issues to the Vulkro team.
One-line install (macOS, Linux, Windows)
curl -fsSL https://dist.vulkro.com/install.sh | bash
The installer:
- Detects your OS and architecture.
- Fetches the matching binary from the Vulkro release feed.
- Verifies the SHA-256 checksum against the published
.sha256file. - Installs to
/usr/local/bin/vulkro, falling back to~/.local/binif/usr/local/binisn't writable. - Runs
vulkro updateonce to fetch the latest signed CVE bundle from the Vulkro CDN, so dependency scanning works on the first scan.
Two network calls total: the release feed for the binary, and the CVE CDN for the bundle. Both are documented and reproducible.
Configurable installer
| Variable / flag | Effect |
|---|---|
VULKRO_VERSION=v0.3.0 | Pin a specific release tag. |
VULKRO_BIN_DIR=/opt/bin | Override the install destination. |
--no-cve-update | Skip the first-run bundle fetch. |
VULKRO_OFFLINE=1 | Refuse all outbound network calls (you can apply a bundle later via vulkro update --bundle <path>). |
Windows
The Windows binary works under PowerShell and inside WSL. Run the PowerShell installer:
iwr -useb https://dist.vulkro.com/install.ps1 | iex
Air-gapped install
If the machine running vulkro cannot reach the public internet, request
an offline bundle (binary tarball + signed CVE bundle) from the Vulkro
team. Then on the target:
# extract the binary archive, then apply the signed CVE bundle
vulkro update --bundle ./vulkro-cve-<date>.vkbundle
No outbound calls during normal scan operation when VULKRO_OFFLINE=1.
Staying up to date
Every vulkro invocation spawns a quick background thread that asks the Vulkro release feed for the latest tag and - if a newer version exists - prints a one-line notification at the end of the command:
! vulkro update available: 0.3.0 -> 0.3.1
Install: curl -sSfL https://dist.vulkro.com/install.sh | bash
(or `vulkro update`; suppress with VULKRO_NO_UPDATE_CHECK=1)
Three things to know:
- The background check is cached for 24 hours in
~/.vulkro/update-check.json, so the release feed is only hit once per machine per day. - It uses a 2-second HTTP timeout and fails silent - offline machines and slow networks never see a delay.
- Opt out with
VULKRO_NO_UPDATE_CHECK=1(any non-empty value). Set this in air-gapped environments and strict-egress CI.
For the explicit path:
vulkro update # fresh version check + prompt, then refresh CVE data
vulkro update skips the 24-hour cache, prompts to run the installer
if a newer release exists, and then pulls the latest signed CVE
snapshot. dist/upgrade.sh is the vendored script form of the binary
install, for restricted environments where curl ... | bash is
policy-blocked. See CLI -> update for details.
Vulkro for Salesforce (vulkro-sf)
The Salesforce product is a separate binary on the same engine,
distributed via a separate installer, and documented on its own
docs site under /sf/docs/. Install it instead of (or alongside) the
general vulkro binary if you audit Salesforce code or live orgs.
curl -fsSL https://dist.vulkro.com/install-sf.sh | bash
The full install walk-through, the org-connector privacy statement, the command reference, and the live-org workflow live on the Vulkro for Salesforce install page:
Install Vulkro for Salesforce ->