Skip to main content

Offline mode

Vulkro is offline-first by design. The outbound network calls are:

  1. Update-check ping - a 2-second background GET to the release feed, at most once per machine per day. This is the only automatic call; it is disabled by VULKRO_OFFLINE=1 or VULKRO_NO_UPDATE_CHECK=1.
  2. Installer - fetches the binary tarball from GitHub Releases.
  3. First-run CVE bundle - vulkro update runs once during install to populate ~/.vulkro/data/cves/.
  4. vulkro update when invoked explicitly.
  5. vulkro probe --base-url <URL> when invoked explicitly.
  6. vulkro rules add / vulkro rules update when invoked explicitly.
  7. vulkro notify --url <URL> / vulkro scan --post-to <...> when invoked explicitly.
  8. vulkro scan --validate-secrets when invoked explicitly.

Everything else - discovery, scan, container scan, history, diff, trends, contributors, compliance, the desktop console - is fully local. Every call in the list is disabled by VULKRO_OFFLINE=1 (below). For the full per-call inventory (destination, payload, gate), see Network egress.

VULKRO_OFFLINE=1

Setting this environment variable refuses every outbound network call. Affected commands:

CommandBehaviour with VULKRO_OFFLINE=1
Update-check ping (automatic)Disabled - no request is sent.
vulkro update (no flags)Refused with a hint to use --bundle.
vulkro update --bundle <path>Allowed. Fully offline.
vulkro update --verify <path>Allowed. Fully offline.
vulkro rules addRefused (503-style error).
vulkro rules updateRefused (503-style error).
vulkro probeRefused (exit 2) - the probe contract is "I will make HTTP calls".
vulkro notifyRefused (exit 2).
vulkro scan --post-to <...>Skipped with a warning; the scan still runs.
vulkro scan --validate-secretsRefused (exit 2) for the validation lane; main scan still works.
vulkro scan (no validate-secrets)Fully offline.
vulkro container <ref>Allowed. Shells out to local docker only.

Verifying the contract

You can confirm Vulkro holds to the offline contract:

# Run vulkro with all network egress blocked at the kernel level.
unshare -rn /bin/bash -c 'VULKRO_OFFLINE=1 vulkro scan .'

Should complete without error.

CDN base URL override

For organisations that mirror the Vulkro CVE bundle internally:

export VULKRO_CDN_BASE_URL="https://artifacts.internal/vulkro-cve"
vulkro update

The mirror must serve the same /manifest.json + /manifest.json.sig + bundle layout as the public CDN. Signed bundles are still verified against the built-in trust list - mirroring doesn't change the signing trust model.

Air-gapped install

Full walkthrough at Install -> Air-gapped install.