Releases
Every CLI release is published to an immutable version directory in the
release store - binaries, SHA256SUMS, and that version’s notes as
notes.md - and the
version.json
pointer flips to it last. See Install the CLI for the one-line
installers, manual downloads, and the version.json schema.
To install or pin any version listed below:
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh -s -- --version vX.Y.Zv0.4.0
New download home + the MCP router ships. First release published to the AlertaVuln download origin, and the first to include the MCP router binaries.
Highlights
- New install path - grab the CLI with one line; the installer verifies
every download against
SHA256SUMSbefore anything runs:Terminal window curl -fsSL https://get.alertavuln.com/cli/install.sh | shManual downloads live atTerminal window irm https://get.alertavuln.com/cli/install.ps1 | iexhttps://downloads.alertavuln.com/v0.4.0/. - MCP router binaries -
mcp-routernow ships for all five platforms. Install it alongside the CLI with--with-mcp-router(sh) or-WithMcpRouter(PowerShell), or download it directly. Point your MCP client at it withALERTAVULN_API_KEY(and optionallyALERTAVULN_API_URL), or use the hosted endpoint athttps://alertavuln.com/mcp. - Quieter scan output -
sast scanprogress, skip notices and results now use scanner role labels (code, secret, infrastructure, licence) instead of tool internals. Behaviour, findings and tiering are unchanged.
Changes since v0.3.0
- feat(cli): publish releases to the AlertaVuln download origin with checksum-verifying installers
- feat(cli): ship mcp-router binaries for linux/darwin/windows
- refactor(cli): generic scanner labels across all scan output and exports
v0.3.0
Code scanning (SAST) comes to the CLI. A full alertavuln sast command tree:
scan your code locally for free, or have AlertaVuln scan your connected repos
server-side, then pull and triage the results as RED / YELLOW / GREEN.
Highlights
alertavuln sast scan- run a series of specialised code, secret and infrastructure scans over a local path. Scanners are auto-downloaded (pinned + checksum-verified) and run as separate processes; your source code never leaves the machine. Free and unlimited on every plan.alertavuln sast server-scan- ask AlertaVuln to clone + scan a project’s connected git repos on our infrastructure (Enterprise; counts against your weekly quota, always shown before anything is enqueued).alertavuln sast findings/alertavuln sast jobs- pull the consolidated findings the server holds for a project (filter by state / severity / repo) and review server-scan history.- License scanning - licence detection surfaces as its own dedicated License category.
- CI-friendly -
--fail-on red|yellowexits non-zero to gate a pipeline;--jsonand--exportgive machine output and standalone HTML reports. - MCP - adds
list_sast_findingsandlist_sast_scan_jobstools to the MCP server for editor / agent integrations.
Getting started with SAST
- Authenticate:
Terminal window alertavuln login - Scan a local checkout - free, runs on your machine:
Terminal window alertavuln sast scan --path .alertavuln sast scan --path . --fail-on red # non-zero exit gates CI - Scan + upload to a project (repo/ref auto-detected from git):
Terminal window alertavuln project listalertavuln sast scan --path . --project <projectId> - Server-side scan (Enterprise; cost shown before enqueue):
Terminal window alertavuln sast server-scan --project <projectId> --waitalertavuln sast server-scan --project <projectId> --all --wait - Review results:
Terminal window alertavuln sast findings --project <projectId>alertavuln sast findings --project <projectId> --severity red --state openalertavuln sast findings --project <projectId> --repo acme/apialertavuln sast findings --project <projectId> --jsonalertavuln sast jobs --project <projectId>
Install / upgrade
Easiest: the installer verifies checksums for you.
curl -fsSL https://get.alertavuln.com/cli/install.sh | shirm https://get.alertavuln.com/cli/install.ps1 | iexManual: download the binary for your platform from the download origin, verify it against SHA256SUMS, make it executable, and put it on your PATH.
base=https://downloads.alertavuln.com/v0.3.0curl -sSLo alertavuln "$base/alertavuln-linux-amd64" # or -{linux,darwin}-{amd64,arm64}curl -sSLo SHA256SUMS "$base/SHA256SUMS"sha256sum --check --ignore-missing SHA256SUMSchmod +x alertavuln && sudo mv alertavuln /usr/local/bin/alertavuln --version # v0.3.0Windows: download alertavuln-windows-amd64.exe, verify against SHA256SUMS, rename to alertavuln.exe, and put it on your PATH. Tip: many people alias the binary to av.
Changes since v0.2.0
- feat(cli):
sast scanwith auto-downloaded, checksum-verified engines + findings upload - fix(cli): drop the dependency-vuln pass from local scans - dependency CVEs are core’s job
- feat(cli): auto-detect repo / ref / commit from git for SAST uploads
- feat(cli):
sast server-scan+ org-key access to a project’s git sources - feat(sast): licence scanning as a dedicated License category
- feat(cli): pull SAST results via
sast findings/sast jobs+ MCP tools - fix(cli): collapse + cap the SAST finding message so the findings table stays aligned
v0.2.0
Released 2026-06-21. Notes: https://github.com/BlackOpsSolutions/alertavuln-cli/releases/tag/v0.2.0
v0.1.0
Released 2026-06-02. Notes: https://github.com/BlackOpsSolutions/alertavuln-cli/releases/tag/v0.1.0