vulkro rules
Discover, install, and manage community rule packs. Packs are ed25519-signed YAML files that participate in every subsequent scan.
Subcommands
vulkro rules list # show installed packs
vulkro rules add acme/api-security
vulkro rules update # refresh installed packs from registry
vulkro rules remove acme/api-security
vulkro rules catalog # built-in detector catalogue (table)
vulkro rules catalog --format json # ... as machine-readable JSON
vulkro rules catalog
Prints the built-in detector catalogue: the stable rule IDs, OWASP categories,
CWE numbers, and one-line descriptions every output format renders. It is
generated from src/security/inventory.rs, the single source of truth shared
with the SARIF rules table, so the JSON is a stable contract for tooling:
{
"schema_version": 1,
"generated_by": "vulkro 0.11.0",
"count": 22,
"rules": [
{
"id": "OWASP-API1",
"name": "BrokenObjectLevelAuthorization",
"slug": "broken-object-level-auth",
"long_name": "API1:2023 Broken Object Level Authorization",
"owasp_category": "BrokenObjectLevelAuth",
"cwe": 639,
"description": "Endpoint exposes object IDs without verifying the caller owns the object."
}
]
}
The per-rule explainer pages under /docs/rules
are generated from src/rule_docs.rs (vulkro rules export <dir>), and a CI
test fails the build if the committed pages drift from the catalog.
Where they live
Installed packs land at:
~/.vulkro/rule-packs/<author>/<name>/<version>/
+-- rules/*.yaml
Their rules/*.yaml files are picked up automatically by vulkro scan and
vulkro discover. To temporarily disable an installed pack without
removing it, set VULKRO_RULE_PACKS_DISABLED=author/name.
Verification
Every pack must be signed by a key in Vulkro's built-in trust list or
one of the runtime --trust-key paths. Unsigned packs are refused.
Air-gap
VULKRO_OFFLINE=1 makes rules add and rules update refuse the network
and return a 503-style error. Locally-installed packs continue to work.
Authoring a pack
Pack layout, manifest.toml, signing, and publishing are covered in the
team handbook.