Skip to main content

vulkro upgrade

Upgrade the vulkro binary by checking the Vulkro release feed and running the install script. Companion to the opportunistic version check that every vulkro invocation runs in the background.

The background check (no flags required)

Every vulkro command - scan, discover, serve, anything - spawns a quick thread on startup that asks the Vulkro release feed for the latest release tag. If a newer version exists, a one-line notification appears at the end of the command:

  vulkro update available: 0.3.0 -> 0.3.1
    Install: curl -sSfL https://dist.vulkro.com/install.sh | bash
    (or `vulkro upgrade`; suppress with VULKRO_NO_UPDATE_CHECK=1)

Design constraints (Vulkro is offline-first):

  • Silent on failure. Network unreachable, release feed rate-limited, cache file unwritable - none of these slow you down or surface an error. The notification just doesn't appear this invocation.
  • Cached 24 h. The result lives in ~/.vulkro/update-check.json. The release feed is hit at most once per machine per day.
  • 2-second HTTP timeout. Offline machines never wait.
  • Opt-out: VULKRO_NO_UPDATE_CHECK=1 (any non-empty value). Required for air-gapped scans, strict-egress CI, and security policies that forbid outbound calls from this binary.

Usage

vulkro upgrade            # check + prompt + run installer
vulkro upgrade --check    # only check; never install
vulkro upgrade --yes      # unattended (skip confirmation prompt)

Flags

FlagDescription
--checkPrint "Update available" or "Up to date" and exit; do not install.
--yesSkip the interactive [y/N] prompt. Used by CI / automation.

What vulkro upgrade does

  1. Calls the same version-check used by the background notifier (honours the 24 h cache).
  2. If you're on the latest version: prints vulkro is up to date and exits 0.
  3. If a newer version exists:
    • Prints Update available: <current> -> <latest>.
    • With --check: exits 0.
    • Without --yes: prompts "Run curl -sSfL INSTALL_URL | bash now? [y/N]".
    • With --yes (or after y at the prompt): runs the install script via bash -c "curl -sSfL INSTALL_URL | bash". The installer verifies the SHA-256 of the fetched binary against the published .sha256, so the pipe is safer than it looks.

Air-gapped path

If you can't reach the public internet, the update story is the same as the rest of Vulkro: request an offline bundle from the Vulkro team, drop it on the air-gapped host, and run vulkro update --bundle ... for the CVE data. Set VULKRO_NO_UPDATE_CHECK=1 in those environments so the background check doesn't try the release feed and silently fail every time.

See Air-gap - Offline mode for the end-to-end air-gapped workflow.

Environment

VarPurpose
VULKRO_NO_UPDATE_CHECKAny non-empty value disables the background check + suppresses notification.
VULKRO_INSTALL_URLOverride the canonical install URL. Defaults to https://dist.vulkro.com/install.sh.
Last updated on