Skip to main content

vulkro rules

Discover, install, and manage community rule packs. Packs are ed25519-signed YAML files that participate in every subsequent scan.

Subcommands

vulkro rules list # show installed packs
vulkro rules add acme/api-security
vulkro rules update # refresh installed packs from registry
vulkro rules remove acme/api-security
vulkro rules catalog # built-in detector catalogue (table)
vulkro rules catalog --format json # ... as machine-readable JSON

vulkro rules catalog

Prints the built-in detector catalogue: the stable rule IDs, OWASP categories, CWE numbers, and one-line descriptions every output format renders. It is generated from src/security/inventory.rs, the single source of truth shared with the SARIF rules table, so the JSON is a stable contract for tooling:

{
"schema_version": 1,
"generated_by": "vulkro 0.11.0",
"count": 22,
"rules": [
{
"id": "OWASP-API1",
"name": "BrokenObjectLevelAuthorization",
"slug": "broken-object-level-auth",
"long_name": "API1:2023 Broken Object Level Authorization",
"owasp_category": "BrokenObjectLevelAuth",
"cwe": 639,
"description": "Endpoint exposes object IDs without verifying the caller owns the object."
}
]
}

The per-rule explainer pages under /docs/rules are generated from src/rule_docs.rs (vulkro rules export <dir>), and a CI test fails the build if the committed pages drift from the catalog.

Where they live

Installed packs land at:

~/.vulkro/rule-packs/<author>/<name>/<version>/
+-- rules/*.yaml

Their rules/*.yaml files are picked up automatically by vulkro scan and vulkro discover. To temporarily disable an installed pack without removing it, set VULKRO_RULE_PACKS_DISABLED=author/name.

Verification

Every pack must be signed by a key in Vulkro's built-in trust list or one of the runtime --trust-key paths. Unsigned packs are refused.

Air-gap

VULKRO_OFFLINE=1 makes rules add and rules update refuse the network and return a 503-style error. Locally-installed packs continue to work.

Authoring a pack

Pack layout, manifest.toml, signing, and publishing are covered in the team handbook.