Output formats
vulkro scan, vulkro discover, and most other commands take a
--format flag (alias -f) that selects the emitted payload. Every
format is built from the same in-memory ScanReport so they're all
consistent - the only thing that changes is the rendering.
Quick reference
| Format | What it's for | File extension |
|---|---|---|
table | Default. Colourised summary on the terminal. | - |
json | Machine-readable. Pipe to jq, save to disk. | .json |
sarif | GitHub Code Scanning, VS Code, Azure DevOps. SARIF 2.1.0. | .sarif |
gh-pr | Markdown, designed for gh pr comment. | .md |
junit | GitLab MR test report, Jenkins, etc. | .xml |
csv | Spreadsheet hand-off. | .csv |
cyclonedx | CycloneDX 1.5 SBOM. Includes packages + findings. | .json |
spdx | SPDX 2.3 SBOM. Licence-focused. | .json |
pdf | Executive HTML rendered to PDF. Requires wkhtmltopdf on PATH. | .pdf |
ropa-md | GDPR Art. 30 Records of Processing - Markdown. | .md |
ropa-html | GDPR Art. 30 Records of Processing - HTML. | .html |
Examples
vulkro scan . --format json | jq '.findings[] | select(.severity == "Critical")'
vulkro scan . --format sarif > vulkro.sarif
vulkro scan . --format gh-pr > comment.md
gh pr comment "$PR" --body-file comment.md
vulkro scan . --format cyclonedx > sbom.json
vulkro scan . --format ropa-md > ropa.md
SARIF specifics
- Spec version 2.1.0.
- Each finding maps to one
resultwithruleId,level,message,locations, andproperties(carryingconfidence,confidence_reason,compliance_controls). tool.driver.rulesenumerates every detector that contributed to this scan, with descriptions.- Compatible with GitHub Code Scanning's SARIF uploader.
CycloneDX specifics
- Spec 1.5 JSON.
componentslists every detected package withpurl, version, licence, and CVE-derivedvulnerabilities.vulnerabilities[].ratings[]includes both NVD CVSS and Vulkro-attached EPSS / KEV decoration.compositionsindicate whether the analysis was complete or partial (e.g. lockfile present vs absent).
RoPA (GDPR Art. 30)
The Record of Processing Activities format is intended as a starting point for a GDPR audit pack. It enumerates:
- Each endpoint that handles personal data (PII detected by the privacy engine - see Privacy).
- The detected categories of personal data per endpoint.
- The stated purpose, retention, and lawful basis (you fill these in).
- The controls Vulkro detected as in place / missing.
ropa-md is best for Git review; ropa-html is best for emailing to a
DPO who doesn't read Markdown.
PDF
PDF rendering shells out to wkhtmltopdf. If the binary isn't on PATH,
the format errors out cleanly with a hint. The PDF source is the same
executive HTML report vulkro report produces.