Offline mode
Vulkro is offline-first by design. The only outbound network calls in a default install are:
- Installer - fetches the binary tarball from GitHub Releases.
- First-run CVE bundle -
vulkro updateruns once during install to populate~/.vulkro/data/cves/. vulkro updatewhen invoked explicitly.vulkro probe --base-url <URL>when invoked explicitly.vulkro rules add/vulkro rules updatewhen invoked explicitly.vulkro notify --url <URL>when invoked explicitly.
Everything else - discovery, scan, container scan, history, diff, trends, contributors, compliance, the desktop console - is fully local.
VULKRO_OFFLINE=1
Setting this environment variable refuses every outbound network call. Affected commands:
| Command | Behaviour with VULKRO_OFFLINE=1 |
|---|---|
vulkro update (no flags) | Refused with a hint to use --bundle. |
vulkro update --bundle <path> | Allowed. Fully offline. |
vulkro update --verify <path> | Allowed. Fully offline. |
vulkro rules add | Refused (503-style error). |
vulkro rules update | Refused (503-style error). |
vulkro probe | Refused - the probe contract is "I will make HTTP calls". |
vulkro notify | Refused. |
vulkro scan --validate-secrets | Refused for the validation lane; main scan still works. |
vulkro scan (no validate-secrets) | Fully offline. |
vulkro container <ref> | Allowed. Shells out to local docker only. |
Verifying the contract
You can confirm Vulkro holds to the offline contract:
# Run vulkro with all network egress blocked at the kernel level.
unshare -rn /bin/bash -c 'VULKRO_OFFLINE=1 vulkro scan .'
Should complete without error.
CDN base URL override
For organisations that mirror the Vulkro CVE bundle internally:
export VULKRO_CDN_BASE_URL="https://artifacts.internal/vulkro-cve"
vulkro update
The mirror must serve the same /manifest.json + /manifest.json.sig +
bundle layout as the public CDN. Signed bundles are still verified
against the built-in trust list - mirroring doesn't change the signing
trust model.
Air-gapped install
Full walkthrough at Install -> Air-gapped install.