vulkro-sf update
Keep vulkro-sf current. With no flags it does two things, in order:
- Self-upgrade check. It checks the
vulkro-sfrelease channel (https://dist.vulkro.com/releases/latest-sf.json, which versions independently of the generalvulkroscanner) and, if a newer binary exists, offers to install it viahttps://dist.vulkro.com/install-sf.sh. - CVE-data refresh. It fetches the latest signed CVE / rule /
compliance bundle, verifies it against the pinned trust roots, and
applies it to
~/.vulkro/data/.
This is the same updater the general vulkro update uses (built on the
same engine), pointed at the vulkro-sf channel. The CVE data lives in
the shared ~/.vulkro/data/ store the engine reads, so a vulkro-sf update and a vulkro update refresh one store. (This is separate from
the console's scan-history database under ~/.vulkro-sf/data/.)
Synopsis
vulkro-sf update [flags]
Usage
vulkro-sf update # self-upgrade check, then refresh CVE data
vulkro-sf update --no-version-check # skip the upgrade prompt (CI), just refresh
vulkro-sf update --verify bundle.vkb # print a signed bundle's manifest, write nothing
vulkro-sf update --bundle bundle.vkb # apply an out-of-band (USB) bundle to ~/.vulkro/data
vulkro-sf update --create --out b.vkb \
--add cves:cves/npm.json:./npm.json # author a signed bundle (internal tooling)
Flags
The flag set is identical to vulkro update.
| Flag | Description |
|---|---|
--bundle <PATH> | Apply a .vkbundle against ~/.vulkro/data/. |
--verify <PATH> | Verify a bundle's signature and print the manifest, without writing. |
--create | Author a new bundle. Reads the signing key from $VULKRO_SIGNING_KEY. |
--out <PATH> | Output path for --create. |
--add <KIND:TARGET:SOURCE> | Bundle entry for --create. KIND is cves, rules, or compliance. Repeatable. |
--trust-key <PATH> | Extra trust root (32 raw bytes or hex). Repeatable. |
--dest <PATH> | Override the destination root for --bundle (default ~/.vulkro/data/). |
--no-version-check | Skip the self-upgrade prompt before the CVE refresh. Required in CI / non-interactive scripts. Also honoured via VULKRO_NO_UPDATE_CHECK=1. |
Self-upgrade prompt
Before refreshing CVE data, the default flow performs a fresh (uncached) check against the vulkro-sf release feed and, if a newer release exists, prompts:
! Update available: 0.1.6 -> 0.1.7
Run `curl -sSfL https://dist.vulkro.com/install-sf.sh | bash` now? [y/N]
Answer y and the SF installer runs in place; re-invoke vulkro-sf update once it finishes to refresh CVE data with the new binary.
Answer n and the current binary continues straight to the refresh.
The prompt is suppressed when stdin is not a TTY (CI / cron),
--no-version-check is passed, VULKRO_NO_UPDATE_CHECK=1 is set, or a
specific bundle is being processed (--bundle, --verify, --create).
vulkro-sf also runs the same opportunistic, 24-hour-cached background
check at the end of every command, printing a one-line "update
available" notice when a newer release exists.
Air-gap operation
VULKRO_OFFLINE=1 makes vulkro-sf update (no flags) refuse the
network and exit 2 with a hint to use --bundle <path>. Deliver a
signed bundle out of band and apply it offline.
Exit codes
0- success.2- error (bundle not found, signature invalid, offline with no--bundle, etc).
Where to go next
- Installing vulkro-sf - first-time install.
- vulkro update - the general scanner's equivalent, on its own release channel.