Vuls

Vuls

  • Docs
  • Community
  • Blog
  • Languages iconEnglish
    • 日本語
  • GitHub
  • vulsdoc

›Usage

Introduction

  • Abstract
  • Main Features
  • Supported OS

Architecture

  • Remote, Local, One-liner scan
  • Remote Scan Mode
  • One-liner scan mode
  • Local Scan Mode
  • architecture
  • Fast Scan
  • Fast-Root Scan
  • Deep Scan
  • CPE Scan

Installation

  • Vulsctl - Quickest Vuls setup
  • Vulsctl - Install on HostOS
  • Install Manually
  • Install with Docker
  • Install with Package
  • Install with Ansible
  • Install with awless

Tutorial

  • Tutorial
  • Scan with Vulsctl
  • Local Scan Mode
  • Remote Scan Mode
  • Scan using Docker
  • Scan Docker Image
  • Scan non OS packages
  • Scan WordPress
  • Scan Port
  • Scan Windows

Usage

  • config.toml
  • Automatic Discovery
  • configtest
  • Scan
  • Report
  • TUI
  • Server

Vulsrepo

  • VulsRepo

Development

  • Contribute
  • Integration Testing

Misc

  • Cron
  • Update Vuls to the latest version
  • go-cve-dictionary
  • goval-dictionary
  • gost
  • go-exploitdb
  • go-msfdb
  • go-kev
  • go-cti
  • Related Projects
  • Tips
Edit

config.toml

Generate a template of the config.toml settings file

$ vuls discover 127.0.0.1/32
# Create config.toml using below and then ./vuls -config=/path/to/config.toml


# https://vuls.io/docs/en/config.toml.html#database-section
[cveDict]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/cve.sqlite3"
#url        = ""

[ovalDict]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/oval.sqlite3"
#url        = ""

[gost]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/gost.sqlite3"
#url        = ""

[exploit]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-exploitdb.sqlite3"
#url        = ""

[metasploit]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-msfdb.sqlite3"
#url        = ""

[kevuln]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-kev.sqlite3"
#url        = ""

[cti]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-cti.sqlite3"
#url        = ""

[vuls2]
#Path = "/path/to/vuls.db"
#Repository = "ghcr.io/vulsio/vuls-nightly-db:<schema-version>"
#SkipUpdate = false

# https://vuls.io/docs/en/config.toml.html#slack-section
#[slack]
#hookURL      = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"
##legacyToken = "xoxp-11111111111-222222222222-3333333333"
#channel      = "#channel-name"
##channel     = "${servername}"
#iconEmoji    = ":ghost:"
#authUser     = "username"
#notifyUsers  = ["@username"]

# https://vuls.io/docs/en/config.toml.html#email-section
#[email]
#smtpAddr              = "smtp.example.com"
#smtpPort              = "587"
#tlsMode               = "STARTTLS"
#tlsInsecureSkipVerify = false
#user                  = "username"
#password              = "password"
#from                  = "[email protected]"
#to                    = ["[email protected]"]
#cc                    = ["[email protected]"]
#subjectPrefix         = "[vuls]"

# https://vuls.io/docs/en/config.toml.html#http-section
#[http]
#url = "http://localhost:11234"

# https://vuls.io/docs/en/config.toml.html#syslog-section
#[syslog]
#protocol    = "tcp"
#host        = "localhost"
#port        = "514"
#tag         = "vuls"
#facility    = "local0"
#severity    = "alert"
#verbose     = false

# https://vuls.io/docs/en/usage-report.html#example-put-results-in-s3-bucket
#[aws]
#profile                = "default"
#region                 = "ap-northeast-1"
#s3Bucket               = "vuls"
#s3ResultsDir           = "/path/to/result"
#s3ServerSideEncryption = "AES256"

# https://vuls.io/docs/en/usage-report.html#example-put-results-in-azure-blob-storage<Paste>
#[azure]
#accountName   = "default"
#accountKey    = "xxxxxxxxxxxxxx"
#containerName = "vuls"

# https://vuls.io/docs/en/config.toml.html#chatwork-section
#[chatwork]
#room     = "xxxxxxxxxxx"
#apiToken = "xxxxxxxxxxxxxxxxxx"

# https://vuls.io/docs/en/config.toml.html#telegram-section
#[telegram]
#chatID     = "xxxxxxxxxxx"
#token = "xxxxxxxxxxxxxxxxxx"

#[wpscan]
#token = "xxxxxxxxxxx"
#detectInactive = false

# https://vuls.io/docs/en/config.toml.html#default-section
[default]
#port               = "22"
#user               = "username"
#keyPath            = "/home/username/.ssh/id_rsa"
#scanMode           = ["fast", "fast-root", "deep", "offline"]
#scanModules        = ["ospkg", "wordpress", "lockfile", "port"]
#lockfiles = ["/path/to/package-lock.json"]
#cpeNames = [
#  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
#]
#owaspDCXMLPath     = "/tmp/dependency-check-report.xml"
#ignoreCves         = ["CVE-2014-6271"]
#ignorePkgsRegexp   = ["^kernel", "^python"]
#containersOnly     = false
#containerType      = "docker" #or "lxd" or "lxc" default: docker
#containersIncluded = ["${running}"]
#containersExcluded = ["container_name_a"]

# https://vuls.io/docs/en/config.toml.html#servers-section
[servers]

[servers.127-0-0-1]
host                = "127.0.0.1"
#port               = "22"
#user               = "root"
#sshConfigPath      = "/home/username/.ssh/config"
#keyPath            = "/home/username/.ssh/id_rsa"
#scanMode           = ["fast", "fast-root", "deep", "offline"]
#scanModules        = ["ospkg", "wordpress", "lockfile", "port"]
#type               = "pseudo"
#memo               = "DB Server"
#findLock           = true
#findLockDirs       = ["/path/to/dir"]
#lockfiles          = ["/path/to/package-lock.json"]
#cpeNames           = [ "cpe:/a:rubyonrails:ruby_on_rails:4.2.1" ]
#owaspDCXMLPath     = "/path/to/dependency-check-report.xml"
#ignoreCves         = ["CVE-2014-0160"]
#ignorePkgsRegexp   = ["^kernel", "^python"]
#containersOnly     = false
#containerType      = "docker" #or "lxd" or "lxc" default: docker
#containersIncluded = ["${running}"]
#containersExcluded = ["container_name_a"]

#[servers.127-0-0-1.containers.container_name_a]
#cpeNames           = [ "cpe:/a:rubyonrails:ruby_on_rails:4.2.1" ]
#owaspDCXMLPath     = "/path/to/dependency-check-report.xml"
#ignoreCves         = ["CVE-2014-0160"]
#ignorePkgsRegexp   = ["^kernel", "^python"]

#[servers.127-0-0-1.githubs."owner/repo"]
#token   = "yourToken"
#IgnoreGithubDismissed = true


#[servers.127-0-0-1.wordpress]
#cmdPath = "/usr/local/bin/wp"
#osUser = "wordpress"
#docRoot = "/path/to/DocumentRoot/"

#[servers.127-0-0-1.portscan]
#scannerBinPath = "/usr/bin/nmap"
#hasPrivileged = true
#scanTechniques = ["sS"]
#sourcePort = "65535"

#[servers.127-0-0-1.windows]
#serverSelection = 3
#cabPath = "/path/to/wsusscn2.cab"

#[servers.127-0-0-1.optional]
#key = "value1"

Database Section

[cveDict]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/cve.sqlite3"
#url        = ""

[ovalDict]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/oval.sqlite3"
#url        = ""

[gost]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/gost.sqlite3"
#url        = ""

[exploit]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-exploitdb.sqlite3"
#url        = ""

[metasploit]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-msfdb.sqlite3"
#url        = ""

[kevuln]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-kev.sqlite3"
#url        = ""

[cti]
#type = ["sqlite3", "mysql", "postgres", "redis", "http" ]
#sqlite3Path = "/path/to/go-cti.sqlite3"
#url        = ""

[vuls2]
#Path = "/path/to/vuls.db"
#Repository = "ghcr.io/vulsio/vuls-nightly-db:<schema-version>"
#SkipUpdate = false
  • type : the method of access for the database. (Default: "sqlite3")
  • SQLite3Path : Should only be set when using "sqlite" otherwise unused. (Default: SQLite3 in current directory)
  • url : specifies the url to access the database.

These can also be specified by an environment variable. Refer to the source code for the environment variable names.

  • cveDict
  • ovalDict
  • gost
  • exploit
  • metasploit
  • kevuln
  • cti

Slack section

[slack]
hookURL      = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"
#legacyToken  = "xoxp-11111111111-222222222222-3333333333"
channel      = "#channel-name"
#channel      = "${servername}"
iconEmoji    = ":ghost:"
authUser     = "username"
notifyUsers  = ["@username"]
  • hookURL or legacyToken.
    If there are a lot of vulnerabilities, it is better to use legacyToken since the Slack notification will be flooded.

  • hookURL : Incoming web-hook's URL (hookURL is ignored when legacyToken is set.)
    Vuls-slack

  • legacyToken : slack legacy token
    Vuls-slack-thread

  • channel : channel name.

If you set ${servername} to channel, the report will be sent to each channel.
In the following example, the report will be sent to the #server1 and #server2.
Be sure to create these channels before scanning.

[slack]
channel      = "${servername}"
...snip...

[servers]

[servers.server1]
host         = "172.31.4.82"
...snip...

[servers.server2]
host         = "172.31.4.83"
...snip...
  • iconEmoji: emoji
  • authUser: username of the slack team
  • notifyUsers: a list of Slack usernames to send Slack notifications. If you set ["@foo", "@bar"] to notifyUsers, @foo @bar will be included in text.
    So @foo, @bar can receive mobile push notifications on their smartphone.

HTTP section

[http]
url = "http://localhost:11234"

EMail section

[email]
smtpAddr              = "smtp.gmail.com"
smtpPort              = "587"
tlsMode               = "STARTTLS"
tlsInsecureSkipVerify = false
user                  = "username"
password              = "password"
from                  = "[email protected]"
to                    = ["[email protected]"]
cc                    = ["[email protected]"]
subjectPrefix         = "[vuls]"
  • If you use SMTPS when send email, please set config.toml as follows.
[email]
smtpAddr              = "smtp.gmail.com"
smtpPort              = "465"
tlsMode               = "SMTPS"
tlsInsecureSkipVerify = false
user                  = "username"
password              = "password"
from                  = "[email protected]"
to                    = ["[email protected]"]
cc                    = ["[email protected]"]
subjectPrefix         = "[vuls]"

Gmail account setting

If you can't send vuls report via Email, please check your Gmail account setting.

  1. Access Manage your Google Account -> "Security" tab
  2. Check Signing in to Google -> "Use your phone to sign in" and "2-Step Verification" is OFF
  3. Check "Less secure app access" is On

Syslog section

[syslog]
protocol    = "tcp"
host        = "localhost"
port        = "514"
tag         = "vuls"
facility    = "local0"
severity    = "alert"
verbose     = false
  • protocol : transfer protocol (default: empty)
  • tcp or udp or empty
    If protocol is empty, vuls will connect to the local syslog server.
  • host : syslog target host
  • domain name or IP address
  • port : syslog target port (default: 514)
  • tag : syslog tag
  • facility : syslog facility (default: auth)
  • kern, user, mail, daemon, etc.
  • severity : syslog severity (default: info)
  • emerg, alert, crit, etc.
  • verbose : verbose mode (default: false)
  • CVE detail, etc.

Default section

[default]
#port        = "22"
#user        = "username"
#keyPath     = "/home/username/.ssh/id_rsa"
#lockfiles = ["/path/to/package-lock.json"]
#cpeNames = [
#  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
#]
#ignoreCves         = ["CVE-2016-6313"]
#ignorePkgsRegexp   = ["^kernel", "^python"]
#optional = [
#    ["key", "value"],
#]

Items of the default section will be used if not specified.

servers section

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
#ignoreIPAddresses = ["127.0.0.2"]
#jumpServer  = ["[email protected]:22", "[email protected]:2222"]
#port        = "22"
#user        = "root"
#sshConfigPath      = "/home/username/.ssh/config"
#keyPath     = "/home/username/.ssh/id_rsa"
#type          = "pseudo"
#findLock = true
#lockfiles = ["/path/to/package-lock.json"]
#cpeNames = [
#  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
#]
#ignoreCves         = ["CVE-2016-6314"]
#ignorePkgsRegexp   = ["^kernel", "^python"]
#optional = [
#    ["key", "value"],
#]
#[servers.172-31-4-82.containers]
#type = "lxd" # or "docker" or "lxc"
#includes = ["${running}"]
#excludes = ["container_name", "container_id"]

You can overwrite the default value specified in default section.

  • host: IP address or hostname of target server (support CIDR range)
  • ignoreIPAddresses: IP address to be removed from the host described in the CIDR Range. (CIDR Range is also possible)
  • jumpServer: IP address or hostname with port number of proxy
  • port: SSH Port number
  • user: SSH username
  • sshConfigPath: SSH config file path. see #1005
  • keyPath: SSH private key path
  • type: "pseudo" for non-ssh scanning. see #531
  • findLock, findLockDirs and lockfiles: see Usage: Scan vulnerability of non-OS package#Library Vulns Scan
  • cpeNames: see Usage: Scan vulnerability of non-OS package#CPE Scan
  • ignoreCves: CVE IDs that will not be reported. But output to JSON file.
  • ignorePkgsRegexp: Use regex to match any package name and ignore it from the report. But output to JSON file.
  • optional: Add additional information to JSON report.
  • containers: see Example: Scan Running containers (Docker/LXD/LXC)

Multiple SSH authentication methods are supported.

  • SSH agent
  • SSH public key authentication (with password and empty password)

If you need password authentication, see the tips of How to scan with SSH key with passphrase

  • How to Log in With No Password While Using ssh-agent

ChatWork section

[chatwork]
room = "xxxxxxxxxxx"
apiToken = "xxxxxxxxxxxxxxx"

GoogleChat section

[googlechat]
webHookURL = "https://chat.googleapis.com/v1/spaces/xxxxxxxxxx/messages?key=yyyyyyyyyy&token=zzzzzzzzzz%3D"
skipIfNoCve = false
serverNameRegexp = "(^(\\[Reboot Required\\] )?(?:(spam|ham)).*|.*(?:egg)$)"
  • webHookURL
    Chat room pull down menu ▼
    Select web hook management ⚙
    Create web hook
    Copy and Paste from web hook url
  • skipIfNoCve
    Skip reporting if the server has not any CVEs.
  • serverNameRegexp
    ServerName filter by regexp. The bellow excludes spamonigiri, hamburger and boiledegg.
    [Reboot Required] is magic words for vuls inside. Please ignore 😀

Telegram section

Posting to a user: here is how to find user's chatID

[telegram]
chatID = "xxxxxxxxxxx"
token = "xxxxxxxxxxxxxxx"

Posting to a channel:

[telegram]
chatID = "@xxxxxxxxxx"
token = "xxxxxxxxxxxxxxx"
← Scan WindowsAutomatic Discovery →
Vuls
Docs
IntroductionArchitectureTutorial
Community
Join SlackSlackTwitter(English)Twitter(Japanese)
More
BlogGitHub
Copyright © 2025 kotakanbe