Install

Vulkro is distributed as a single self-contained binary. There are no runtime dependencies, no Electron, no native deps to compile.

Beta

Vulkro is currently in beta. Expect rapid iteration and occasional rough edges. Please report issues to the Vulkro team.

One-line install (macOS, Linux, Windows)

curl -fsSL https://dist.vulkro.com/install.sh | bash

The installer:

1. Detects your OS and architecture.
2. Fetches the matching binary from the Vulkro release feed.
3. Verifies the SHA-256 checksum against the published .sha256 file.
4. Installs to /usr/local/bin/vulkro, falling back to ~/.local/bin if /usr/local/bin isn't writable.
5. Runs vulkro update once to fetch the latest signed CVE bundle from the Vulkro CDN, so dependency scanning works on the first scan.

Two network calls total: the release feed for the binary, and the CVE CDN for the bundle. Both are documented and reproducible.

Configurable installer

Variable / flag	Effect
VULKRO_VERSION=v0.3.0	Pin a specific release tag.
VULKRO_BIN_DIR=/opt/bin	Override the install destination.
--no-cve-update	Skip the first-run bundle fetch.
VULKRO_OFFLINE=1	Refuse all outbound network calls (you can apply a bundle later via vulkro update --bundle <path>).

Windows

The Windows binary works under PowerShell and inside WSL. Run the PowerShell installer:

iwr -useb https://dist.vulkro.com/install.ps1 | iex

Air-gapped install

If the machine running vulkro cannot reach the public internet, request an offline bundle (binary tarball + signed CVE bundle) from the Vulkro team. Then on the target:

# extract the binary archive, then apply the signed CVE bundle
vulkro update --bundle ./vulkro-cve-<date>.vkbundle

No outbound calls during normal scan operation when VULKRO_OFFLINE=1.

Staying up to date

Every vulkro invocation spawns a quick background thread that asks the Vulkro release feed for the latest tag and - if a newer version exists - prints a one-line notification at the end of the command:

  ! vulkro update available: 0.3.0 -> 0.3.1
    Install: curl -sSfL https://dist.vulkro.com/install.sh | bash
    (or `vulkro upgrade`; suppress with VULKRO_NO_UPDATE_CHECK=1)

Three things to know:

• The check is cached for 24 hours in ~/.vulkro/update-check.json, so the release feed is only hit once per machine per day.
• It uses a 2-second HTTP timeout and fails silent - offline machines and slow networks never see a delay.
• Opt out with VULKRO_NO_UPDATE_CHECK=1 (any non-empty value). Set this in air-gapped environments and strict-egress CI.

For the explicit upgrade path:

vulkro upgrade            # check + prompt + install
vulkro upgrade --check    # only check; don't install
vulkro upgrade --yes      # unattended (skip the prompt)

dist/upgrade.sh is the vendored script form, for restricted environments where curl ... | bash is policy-blocked. See CLI -> upgrade for the full details.

What's next

• Run your first scan ->
• Configure your first CI integration ->