Skip to main content

Install

Vulkro is distributed as a single self-contained binary. There are no runtime dependencies, no Electron, no native deps to compile.

Account required

Running scans requires a Vulkro account. Install the binary, then run vulkro login to connect the CLI to your account; your 14-day trial starts on your first login. Air-gapped teams use a license file instead (see Air-gapped install below). Scans always run locally: your code is never uploaded.

One-line install (macOS, Linux, Windows)

curl -fsSL https://dist.vulkro.com/install.sh | bash

The installer:

  1. Detects your OS and architecture.
  2. Fetches the matching binary from the Vulkro release feed.
  3. Verifies the SHA-256 checksum against the published .sha256 file.
  4. Installs to /usr/local/bin/vulkro, falling back to ~/.local/bin if /usr/local/bin isn't writable.
  5. Runs vulkro update once to fetch the latest signed CVE bundle from the Vulkro CDN, so dependency scanning works on the first scan.

Two network calls total: the release feed for the binary, and the CVE CDN for the bundle. Both are documented and reproducible.

Connect your account

After installing, connect the CLI to your Vulkro account:

vulkro login

Your first login on a device starts a 14-day trial automatically. From then on the CLI holds a signed lease and refreshes it in the background about once a day; the lease stays valid for 14 days, so short offline stretches (travel, flaky networks) never interrupt scanning. The refresh carries only minimal usage keys, never your code and never findings.

When the trial lapses, request a license from the Vulkro team at [email protected]; Vulkro is licensed per seat, directly through our team. vulkro buy opens a pre-filled license-request email with this machine's fingerprint and your days-of-use stats; the team replies with a .lic file you install with vulkro activate <file.lic>.

For the full account model (login flows, the offline lease and its grace window, vulkro account / vulkro logout / vulkro license-status, and the air-gap path) see Accounts and licensing.

Configurable installer

Variable / flagEffect
VULKRO_VERSION=v0.3.0Pin a specific release tag.
VULKRO_BIN_DIR=/opt/binOverride the install destination.
VULKRO_OFFLINE=1Refuse all outbound network calls, including the first-run bundle fetch (you can apply a bundle later via vulkro update --bundle <path>).

Windows

The Windows binary works under PowerShell and inside WSL. Run the PowerShell installer:

iwr -useb https://dist.vulkro.com/install.ps1 | iex

Air-gapped install

If the machine running vulkro cannot reach the public internet, request an offline bundle (binary tarball + signed CVE bundle) and a license file from the Vulkro team. Then on the target:

# extract the binary archive, then apply the signed CVE bundle
vulkro update --bundle ./vulkro-cve-<date>.vkbundle

# install the license file (replaces `vulkro login` on air-gapped machines)
vulkro activate ./your-team.lic

No outbound calls during normal scan operation when VULKRO_OFFLINE=1. The license file satisfies the account requirement without any network access.

Staying up to date

Every vulkro invocation spawns a quick background thread that asks the Vulkro release feed for the latest tag and - if a newer version exists - prints a one-line notification at the end of the command:

! vulkro update available: 0.3.0 -> 0.3.1
Install: curl -sSfL https://dist.vulkro.com/install.sh | bash
(or `vulkro update`; suppress with VULKRO_NO_UPDATE_CHECK=1)

Three things to know:

  • The background check is cached for 24 hours in ~/.vulkro/update-check.json, so the release feed is only hit once per machine per day.
  • It uses a 2-second HTTP timeout and fails silent - offline machines and slow networks never see a delay.
  • Opt out with VULKRO_NO_UPDATE_CHECK=1 (any non-empty value). Set this in air-gapped environments and strict-egress CI.

For the explicit path:

vulkro update # fresh version check + prompt, then refresh CVE data

vulkro update skips the 24-hour cache, prompts to run the installer if a newer release exists, and then pulls the latest signed CVE snapshot. dist/upgrade.sh is the vendored script form of the binary install, for restricted environments where curl ... | bash is policy-blocked. See CLI -> update for details.

Vulkro for Salesforce (vulkro-sf)

Vulkro for Salesforce is a separate binary on the same engine, distributed via a separate installer, and documented under /docs/salesforce/. Install it instead of (or alongside) the general vulkro binary if you audit Salesforce code or live orgs.

curl -fsSL https://dist.vulkro.com/install-sf.sh | bash

The full install walk-through, the org-connector privacy statement, the command reference, and the live-org workflow live on the Vulkro for Salesforce install page:

Install Vulkro for Salesforce ->

What's next