Skip to main content

vulkro rules

Discover, install, and manage community rule packs. Packs are ed25519-signed YAML files that participate in every subsequent scan.

Subcommands

vulkro rules list                 # show installed packs
vulkro rules add acme/api-security
vulkro rules update               # refresh installed packs from registry
vulkro rules remove acme/api-security

Where they live

Installed packs land at:

~/.vulkro/rule-packs/<author>/<name>/<version>/
+-- rules/*.yaml

Their rules/*.yaml files are picked up automatically by vulkro scan and vulkro discover. To temporarily disable an installed pack without removing it, set VULKRO_RULE_PACKS_DISABLED=author/name.

Verification

Every pack must be signed by a key in Vulkro's built-in trust list or one of the runtime --trust-key paths. Unsigned packs are refused.

Air-gap

VULKRO_OFFLINE=1 makes rules add and rules update refuse the network and return a 503-style error. Locally-installed packs continue to work.

Authoring a pack

Pack layout, manifest.toml, signing, and publishing are covered in the team handbook.

Last updated on