Vuls

Vuls

  • Docs
  • Community
  • Blog
  • Languages iconEnglish
    • 日本語
  • GitHub
  • vulsdoc

›Usage

Introduction

  • Abstract
  • Main Features
  • Supported OS

Architecture

  • Remote, Local, One-liner scan
  • Remote Scan Mode
  • One-liner scan mode
  • Local Scan Mode
  • architecture
  • Fast Scan
  • Fast-Root Scan
  • Deep Scan
  • CPE Scan

Installation

  • Vulsctl - Quickest Vuls setup
  • Vulsctl - Install on HostOS
  • Install Manually
  • Install with Docker
  • Install with Package
  • Install with Ansible
  • Install with awless

Tutorial

  • Tutorial
  • Scan with Vulsctl
  • Local Scan Mode
  • Remote Scan Mode
  • Scan using Docker
  • Scan Docker Image
  • Scan non OS packages
  • Scan WordPress
  • Scan Port
  • Scan Windows

Usage

  • config.toml
  • Automatic Discovery
  • configtest
  • Scan
  • Report
  • TUI
  • Server

Vulsrepo

  • VulsRepo

Development

  • Contribute
  • Integration Testing

Misc

  • Cron
  • Update Vuls to the latest version
  • go-cve-dictionary
  • goval-dictionary
  • gost
  • go-exploitdb
  • go-msfdb
  • go-kev
  • go-cti
  • Related Projects
  • Tips
Edit

Scan

$ vuls scan -help
scan:
        scan
                [-config=/path/to/config.toml]
                [-results-dir=/path/to/results]
                [-log-dir=/path/to/log]
                [-cachedb-path=/path/to/cache.db]
                [-skip-broken]
                [-http-proxy=http://192.168.0.1:8080]
                [-timeout=300]
                [-timeout-scan=7200]
                [-debug]
                [-pipe]

                [SERVER]...
  -cachedb-path string
        /path/to/cache.db (local cache of changelog for Ubuntu/Debian)
  -config string
        /path/to/toml
  -debug
        debug mode
  -http-proxy string
        http://proxy-url:port (default: empty)
  -log-dir string
        /path/to/log (default "/var/log/vuls")
  -pipe
        Use stdin via PIPE
  -results-dir string
        /path/to/results
  -skip-broken
        [For CentOS] yum update changelog with --skip-broken option
  -timeout int
        Number of seconds for processing other than scan (default 300)
  -timeout-scan int
        Number of second for scanning vulnerabilities for all servers (default 7200)

fast scan

fast scan mode scans with no root-privilege, no deps on scan target server. fast For details about fast scan mode, see below. You need to execute vuls configtest to check the configuration of the target server before scanning. For details about fast scan mode, see below.

  • Architecture/fast
  • Configtest/fast scan

fast scan with internet access

  • config.toml
[servers]

[servers.localhost]
host         = "192.168.100.111" # or "127.0.0.1"
port         = "22"
scanMode     = ["fast"]

fast scan without internet access

  • config.toml
[servers]

[servers.localhost]
host         = "192.168.100.111" # or "127.0.0.1"
port         = "22"
scanMode     = ["fast", "offline"]

fast-root scan

fast-root scan mode scans with root-privilege. You need to execute vuls configtest to check the configuration of the target server before scanning. For details about fast-root scan mode, see below.

  • Architecture/fast-root
  • Configtest/fast-root scan

fast-root scan with internet access

  • config.toml
[servers]

[servers.localhost]
host         = "192.168.100.111" # or "127.0.0.1"
port         = "22"
scanMode     = ["fast-root"]

fast-root scan without internet access

  • config.toml
[servers]

[servers.localhost]
host         = "192.168.100.111" # or "127.0.0.1"
port         = "22"
scanMode     = ["fast-root", "offline"]

deep scan

  • same as fast-root scan mode for now.

-ssh-native-insecure option

removed in https://github.com/future-architect/vuls/issues/1181

Example: Scan all servers defined in config file

$ vuls scan

With this sample command, it will ..

  • Scan all servers defined in the config file
  • Use SSH Key-Based authentication with an empty password (If you want to use a passphrase, see the tips of How to scan with SSH key with passphrase.)

Example: Scan specific servers

$ vuls scan server1 server2

With this sample command, it will ..

  • Scan only 2 servers (server1, server2)

Example: Scan via shell instead of SSH

Vuls scans localhost instead of SSH if the host address is localhost or 127.0.0.1 and the port is local in config. For more details, see Architecture section

  • config.toml

    [servers]
    
    [servers.localhost]
    host         = "localhost" # or "127.0.0.1"
    port         = "local"
    

Example: Scan Running containers (Docker/LXD/LXC)

It is common that keep containers running without SSHd daemon. see Docker Blog:Why you don't need to run SSHd in your Docker containers

Docker

Vuls scans running Docker containers via docker exec instead of SSH. For more details, see Architecture section

If you don’t want to use root, create a Unix group called docker and add users to it For details, see docker manual

To scan all of the running containers

"${running}" needs to be set in the containers item.

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
user        = "ec2-user"
keyPath     = "/home/username/.ssh/id_rsa"
containerType = "docker"
containersIncluded = ["${running}"]

To scan specific running containers

The container ID or container name needs to be set in the container item.
In the following example, only container_name_a and 4aa37a8b63b9 will be scanned.
Be sure to check these containers are running state before scanning.
If specified containers are not running, Vuls gives up scanning with the printing error message.

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
user        = "ec2-user"
keyPath     = "/home/username/.ssh/id_rsa"
containerType = "docker"
containersIncluded = ["container_name_a", "4aa37a8b63b9"]

To scan except specific running containers

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
user        = "ec2-user"
keyPath     = "/home/username/.ssh/id_rsa"
containerType = "docker"
containersIncluded = ["${running}"]
containersExcluded = ["container_name_a", "4aa37a8b63b9"]

To scan containers only (Docker Host will not be scanned)

 [servers.localhost]
host = "localhost"
port = "local"
user = "vuls"
scanMode = ["fast-root"]
containersIncluded = ["${running}"]
containersOnly= true

LXD

Vuls scans lxd via lxc exec instead of SSH.

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
user        = "ec2-user"
keyPath     = "/home/username/.ssh/id_rsa"
containertype = "lxd"
containersIncluded = ["${running}"]
containersExcluded = ["container_name_a", "4aa37a8b63b9"]

LXC

Vuls scans lxc via lxc-attach instead of SSH.

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
user        = "ec2-user"
keyPath     = "/home/username/.ssh/id_rsa"
containertype = "lxc"
containersIncluded = ["${running}"]
containersExcluded = ["container_name_a", "4aa37a8b63b9"]

LXC required root privilege.

Example of /etc/sudoers on target servers

vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/lxc-attach -n *, /usr/bin/lxc-ls *

Example: scan WordPress (core, plugin, theme)

For Details, see usage-scan-wordpress

Example: scan a lockfile of libraries

For Details, see Scan vulnerabilities of non-OS packages

Example: scan Port by External Port Scanner(nmap)

For Details, see Scan Port by External Port Scanner

Example: scan Windows

For Details, see Scan Windows

← configtestReport →
Vuls
Docs
IntroductionArchitectureTutorial
Community
Join SlackSlackTwitter(English)Twitter(Japanese)
More
BlogGitHub
Copyright © 2025 kotakanbe