Install the CLI
The CLI ships as a single binary named alertavuln; the installer also creates
the conventional av alias - the two are interchangeable in every example.
Every download is verified against the release’s published SHA-256 checksums
before anything is installed.
Quick install
Section titled “Quick install”curl -fsSL https://get.alertavuln.com/cli/install.sh | shTo pass options when piping, use sh -s --:
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh -s -- --version v0.3.0irm https://get.alertavuln.com/cli/install.ps1 | iexThe pipe-to-iex form cannot take arguments. To pass parameters, create a
script block first:
& ([scriptblock]::Create((irm https://get.alertavuln.com/cli/install.ps1))) -Version v0.3.0 -NoPathUpdateInstaller options
Section titled “Installer options”install.sh (Linux/macOS) |
install.ps1 (Windows) |
Description |
|---|---|---|
--version vX.Y.Z |
-Version vX.Y.Z |
Install a specific version. Default: latest from the published version.json |
--with-mcp-router |
-WithMcpRouter |
Also install the AlertaVuln MCP router binary (mcp-router) |
--dry-run |
-DryRun |
Resolve platform and version, print the URLs that would be used, and install nothing. Combined with a pinned version it performs no network I/O at all |
| - | -NoPathUpdate |
Do not modify the user Path environment variable |
-h, --help |
- | Show the installer’s help |
What the installer does
Section titled “What the installer does”-
Detects your platform. Linux and macOS on
amd64orarm64; Windows isamd64-only (ARM64 Windows runs the amd64 binary under emulation; 32-bit x86 is not supported). -
Resolves the version. Unless you pinned one, it fetches
https://downloads.alertavuln.com/version.jsonand reads thelatestpointer. -
Downloads the binary and the release’s
SHA256SUMSfile from that version’s directory in the release store. -
Verifies the SHA-256 checksum. A missing entry or a mismatch is a hard failure - nothing unverified is ever installed. The shell script refuses to run at all without
sha256sumorshasum; the PowerShell script usesGet-FileHash. -
Installs the binary. On Linux/macOS it goes to
~/.local/bin/alertavuln(mode0755, staged and atomically moved so a running binary can be replaced) with anavsymlink beside it (a plain copy where symlinks are unavailable); the script warns if~/.local/binis not on yourPATH. On Windows it goes to%LOCALAPPDATA%\Programs\AlertaVulnasalertavuln.exeplus anav.execopy, and that directory is appended to your userPathunless you passed-NoPathUpdate. -
Optionally installs the MCP router. With
--with-mcp-router/-WithMcpRouter, themcp-routerbinary is downloaded, checksum-verified the same way, and installed alongside the CLI.
Manual install
Section titled “Manual install”Binaries are served from Azure Blob Storage. Each release lives in its own immutable version directory - once published, the binaries and checksums for a version never change:
https://downloads.alertavuln.com/vX.Y.Z/alertavuln-<os>-<arch>[.exe]with os one of linux, darwin, windows and arch one of amd64,
arm64 (Windows is amd64-only - five CLI binaries per release). Each version
directory also holds mcp-router-<os>-<arch>[.exe] for the same targets
(releases after v0.3.0), the SHA256SUMS file covering every binary, and that
version’s release notes as notes.md.
Download the binary and SHA256SUMS, verify, then put the binary on your
PATH:
ver=v0.3.0curl -fsSLO "https://downloads.alertavuln.com/$ver/alertavuln-linux-amd64"curl -fsSLO "https://downloads.alertavuln.com/$ver/SHA256SUMS"sha256sum --check --ignore-missing SHA256SUMSchmod +x alertavuln-linux-amd64mkdir -p ~/.local/bin && mv alertavuln-linux-amd64 ~/.local/bin/alertavulnver=v0.3.0curl -fsSLO "https://downloads.alertavuln.com/$ver/alertavuln-darwin-arm64"curl -fsSLO "https://downloads.alertavuln.com/$ver/SHA256SUMS"shasum -a 256 --check --ignore-missing SHA256SUMSchmod +x alertavuln-darwin-arm64mkdir -p ~/.local/bin && mv alertavuln-darwin-arm64 ~/.local/bin/alertavulnUse alertavuln-darwin-amd64 on Intel Macs.
$ver = 'v0.3.0'irm "https://downloads.alertavuln.com/$ver/alertavuln-windows-amd64.exe" -OutFile alertavuln-windows-amd64.exeirm "https://downloads.alertavuln.com/$ver/SHA256SUMS" -OutFile SHA256SUMS(Get-FileHash .\alertavuln-windows-amd64.exe -Algorithm SHA256).HashSelect-String alertavuln-windows-amd64.exe SHA256SUMS # the two hashes must matchOnce verified, rename the file to alertavuln.exe, move it to a directory on
your PATH, and optionally keep an av.exe copy beside it.
The release manifest - version.json
Section titled “The release manifest - version.json”The container root serves a single mutable blob,
version.json
- the machine-readable pointer the install scripts use to resolve the latest release. Its schema is a stable contract for tooling:
| Field | Type | Meaning |
|---|---|---|
latest |
string | Current release tag, vX.Y.Z |
releasedAt |
string | UTC release timestamp, ISO 8601 (YYYY-MM-DDTHH:MM:SSZ) |
baseUrl |
string | Download origin every url below is rooted at |
platforms |
object | One entry per published CLI target, keyed <os>-<arch>: linux-amd64, linux-arm64, darwin-amd64, darwin-arm64, windows-amd64 |
platforms.<key>.binary |
string | Exact blob filename (keeps the .exe suffix on Windows) |
platforms.<key>.url |
string | Full download URL - baseUrl + / + latest + / + binary |
platforms.<key>.sha256 |
string | Lowercase hex SHA-256 of the binary; matches the SHA256SUMS entry |
mcpRouter |
object | Same shape and keys as platforms, for the MCP router binaries. Absent when that release did not ship the router (e.g. v0.3.0) |
{ "latest": "v0.4.0", "releasedAt": "2026-07-04T00:00:00Z", "baseUrl": "https://downloads.alertavuln.com", "platforms": { "linux-amd64": { "binary": "alertavuln-linux-amd64", "url": "https://downloads.alertavuln.com/v0.4.0/alertavuln-linux-amd64", "sha256": "sha256-hex-64-chars" } }, "mcpRouter": { "linux-amd64": { "binary": "mcp-router-linux-amd64", "url": "https://downloads.alertavuln.com/v0.4.0/mcp-router-linux-amd64", "sha256": "sha256-hex-64-chars" } }}version.json is the only mutable blob in the release store, and a
release rewrites it last - after every immutable blob is in place - so the
latest pointer can never reference a partially uploaded release. Scripting
against it is straightforward:
curl -fsSL https://downloads.alertavuln.com/version.json | jq -r '.latest'After installing
Section titled “After installing”Sign in and confirm everything works:
av login # opens your browser to authenticateav whoami # confirm who you're signed in asav check npm vite 6.0.0 # vet a package before you adopt itBy default the CLI talks to https://alertavuln.com; override the API base
URL with the --api-url flag, which takes precedence over the
ALERTAVULN_API_URL environment variable and the config file.
See also
Section titled “See also”- Releases - version history and release notes
- Introduction - what AlertaVuln does
av sast scan- run your first local code scan