vulkro update
Refresh - or apply offline - the local CVE bundle, rule packs, and compliance frameworks. Three modes:
- Public CDN refresh - the default. Fetches a signed bundle from
https://dist.vulkro.com/cve/. - Verify a bundle - inspect a
.vkbundlewithout applying it. - Apply an offline bundle - write a
.vkbundlecarried in by hand. - Author a bundle - for the maintainer; signs a new bundle with the signing key.
Usage
vulkro update # public CDN refresh
vulkro update --bundle ./vulkro-cve-<id>.vkbundle # apply offline bundle
vulkro update --verify ./vulkro-cve-<id>.vkbundle # inspect, don't apply
vulkro update --create --out new.vkbundle \
--add cves:cves/npm.json:./local/npm.json # author (maintainer-only)
Flags
| Flag | Description |
|---|---|
--bundle <PATH> | Apply a .vkbundle against ~/.vulkro/data/. |
--verify <PATH> | Verify the signature of a bundle and print the manifest, without writing. |
--create | Author a new bundle. Reads the signing key from $VULKRO_SIGNING_KEY (file path or 64-char hex seed). |
--out <PATH> | Output path for --create. |
--add <KIND:TARGET:SOURCE> | Bundle entry to include during --create. KIND is cves, rules, or compliance. Repeat per entry. |
--trust-key <PATH> | Extra trust root (32 raw bytes or hex). Repeatable. |
--dest <PATH> | Override the destination root for --bundle (default ~/.vulkro/data/). |
--no-version-check | Skip the binary-version prompt that runs before the default CVE-refresh flow. Required in CI / non-interactive scripts. |
Version-check prompt
Before refreshing CVE data, the default vulkro update flow performs
the same release-feed check used by every other vulkro command and,
if a newer binary is available, prompts:
! Update available: 0.5.0 -> 0.5.1
Run `curl -sSfL https://dist.vulkro.com/install.sh | bash` now? [y/N]
Answer y and the install script runs in place; re-invoke
vulkro update once it finishes to pick up fresh CVE data with the
new binary. Answer n (or anything else) and the current binary
continues straight to the CVE refresh.
The prompt is suppressed when:
stdinis not a TTY (so CI pipelines and| croninvocations are never blocked).--no-version-checkis passed.VULKRO_NO_UPDATE_CHECK=1is set in the environment.- A specific bundle is being processed (
--bundle,--verify, or--create) - those flows are about data, not the binary.
Trust roots
Bundles are signed with ed25519. Vulkro bakes a list of trusted public
keys into the binary at build time. Anything signed by a key outside
that list is rejected unless you pass --trust-key <path>.
Rotation policy: a new key is added in a release that also keeps the old key, then the old key is removed in a follow-up release. Existing customers get a window to upgrade before bundles signed by the old key stop verifying.
Air-gap operation
VULKRO_OFFLINE=1 makes vulkro update (no flags) refuse the network
and exit with a hint to use --bundle.