--- name: vulncheck-cli description: Use the VulnCheck CLI to query vulnerability and exploit intelligence. Invoke when the user asks about listing or querying VulnCheck indices, security advisories, vendor advisories, CVE lookups, downloading index backups, known exploited vulnerabilities, KEV, CISA KEV, NVD, package security, PURL lookups (npm, pypi, maven, cargo, golang, nuget), CPE lookups, scanning a project or directory for vulnerable dependencies, exploits, Initial Access Intelligence, detection rules (Snort, Suricata), IP intelligence, C2 infrastructure, botnet tracking, protective DNS, or offline vulnerability scanning. compatibility: Requires the vulncheck CLI binary to be installed and authenticated. On Windows, also requires WSL or Git Bash. --- # VulnCheck CLI > **Binary is `vulncheck`** — not `vulncheck-cli`, not `vci`. No `||` fallbacks, no `echo` error strings. Run commands directly. VulnCheck is a standalone CLI — it does not require a project directory. If not authenticated, run `vulncheck auth login` before proceeding. ## Auth ```bash vulncheck auth status # check current auth state vulncheck auth login # log in (requires TTY) vulncheck auth logout # log out ``` ## Indices VulnCheck has 490+ named indices — vendor advisories, CVE feeds, exploit data, KEV lists, and more. **List all available indices** (use only when discovering index names — if you already know the index name, query it directly): ```bash vulncheck indices list --json # plain JSON array of {name, description, href} vulncheck indices list --json | jq '.[].name' # all names vulncheck indices list --json | jq '.[] | select(.name | contains("nvd"))' # filter vulncheck indices browse # interactive (requires TTY) ``` **Query an index** (returns a plain JSON array, no `--json` flag needed): ```bash vulncheck index list vulncheck index list --cve CVE-2021-44228 vulncheck index list --limit 10 --sort date_added vulncheck index list --pubStartDate 2024-01-01 --pubEndDate 2024-06-30 vulncheck index list --cursor # next page vulncheck index list --page 2 # page-based pagination vulncheck index browse # interactive (requires TTY) ``` Pipe to `jq` for filtering, e.g. `| jq '.[0]'` for the first record. For 30+ additional flags (CIDR, ASN, threat actor, ransomware, MITRE ID, etc.) run `vulncheck index list --help`. **Common indices:** | Index | Contents | |-------|----------| | `vulncheck-nvd2` | NVD CVE data enriched by VulnCheck | | `vulncheck-kev` | VulnCheck Known Exploited Vulnerabilities | | `cisa-kev` | CISA KEV catalog | | `initial-access` | Initial Access Intelligence (exploits, PoCs) | | `ipintel-3d` / `ipintel-10d` / `ipintel-30d` / `ipintel-90d` | IP Intelligence (by timeframe) | **Download a backup:** `vulncheck backup download` requires a TTY and will fail in this environment. Use the signed URL instead: ```bash # Get the URL (default — always extract .url so the user can copy-paste it) vulncheck backup url --json | jq -r '.url' # Download directly vulncheck backup url --json | jq -r '.url' | xargs curl -OL ``` Always run the `jq -r '.url'` form — never dump the raw JSON. The user needs a plain URL they can use. ## Utility ```bash vulncheck version # show current version, build date, and changelog URL vulncheck upgrade # upgrade the CLI to the latest release ``` ## Reference Files | Task | Reference | | ------------------------------------------------------------ | -------------------------------------------------------------- | | PURL and CPE package lookups | [references/purl-cpe.md](references/purl-cpe.md) | | Scan a project directory for vulnerable dependencies | [references/scanning.md](references/scanning.md) | | Air-gapped / offline scanning and lookups | [references/offline.md](references/offline.md) | | IP intelligence, C2 infrastructure, protective DNS | [references/ip-intelligence.md](references/ip-intelligence.md) | | Detection rules, Snort/Suricata, Initial Access Intelligence | [references/initial-access.md](references/initial-access.md) | | API token management | [references/token.md](references/token.md) |