Skip to content

Releases

Every CLI release is published to an immutable version directory in the release store - binaries, SHA256SUMS, and that version’s notes as notes.md - and the version.json pointer flips to it last. See Install the CLI for the one-line installers, manual downloads, and the version.json schema.

To install or pin any version listed below:

Terminal window
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh -s -- --version vX.Y.Z

v0.4.0

New download home + the MCP router ships. First release published to the AlertaVuln download origin, and the first to include the MCP router binaries.

Highlights

  • New install path - grab the CLI with one line; the installer verifies every download against SHA256SUMS before anything runs:
    Terminal window
    curl -fsSL https://get.alertavuln.com/cli/install.sh | sh
    Terminal window
    irm https://get.alertavuln.com/cli/install.ps1 | iex
    Manual downloads live at https://downloads.alertavuln.com/v0.4.0/.
  • MCP router binaries - mcp-router now ships for all five platforms. Install it alongside the CLI with --with-mcp-router (sh) or -WithMcpRouter (PowerShell), or download it directly. Point your MCP client at it with ALERTAVULN_API_KEY (and optionally ALERTAVULN_API_URL), or use the hosted endpoint at https://alertavuln.com/mcp.
  • Quieter scan output - sast scan progress, skip notices and results now use scanner role labels (code, secret, infrastructure, licence) instead of tool internals. Behaviour, findings and tiering are unchanged.

Changes since v0.3.0

  • feat(cli): publish releases to the AlertaVuln download origin with checksum-verifying installers
  • feat(cli): ship mcp-router binaries for linux/darwin/windows
  • refactor(cli): generic scanner labels across all scan output and exports

v0.3.0

Code scanning (SAST) comes to the CLI. A full alertavuln sast command tree: scan your code locally for free, or have AlertaVuln scan your connected repos server-side, then pull and triage the results as RED / YELLOW / GREEN.

Highlights

  • alertavuln sast scan - run a series of specialised code, secret and infrastructure scans over a local path. Scanners are auto-downloaded (pinned + checksum-verified) and run as separate processes; your source code never leaves the machine. Free and unlimited on every plan.
  • alertavuln sast server-scan - ask AlertaVuln to clone + scan a project’s connected git repos on our infrastructure (Enterprise; counts against your weekly quota, always shown before anything is enqueued).
  • alertavuln sast findings / alertavuln sast jobs - pull the consolidated findings the server holds for a project (filter by state / severity / repo) and review server-scan history.
  • License scanning - licence detection surfaces as its own dedicated License category.
  • CI-friendly - --fail-on red|yellow exits non-zero to gate a pipeline; --json and --export give machine output and standalone HTML reports.
  • MCP - adds list_sast_findings and list_sast_scan_jobs tools to the MCP server for editor / agent integrations.

Getting started with SAST

  1. Authenticate:
    Terminal window
    alertavuln login
  2. Scan a local checkout - free, runs on your machine:
    Terminal window
    alertavuln sast scan --path .
    alertavuln sast scan --path . --fail-on red # non-zero exit gates CI
  3. Scan + upload to a project (repo/ref auto-detected from git):
    Terminal window
    alertavuln project list
    alertavuln sast scan --path . --project <projectId>
  4. Server-side scan (Enterprise; cost shown before enqueue):
    Terminal window
    alertavuln sast server-scan --project <projectId> --wait
    alertavuln sast server-scan --project <projectId> --all --wait
  5. Review results:
    Terminal window
    alertavuln sast findings --project <projectId>
    alertavuln sast findings --project <projectId> --severity red --state open
    alertavuln sast findings --project <projectId> --repo acme/api
    alertavuln sast findings --project <projectId> --json
    alertavuln sast jobs --project <projectId>

Install / upgrade

Easiest: the installer verifies checksums for you.

Terminal window
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh
Terminal window
irm https://get.alertavuln.com/cli/install.ps1 | iex

Manual: download the binary for your platform from the download origin, verify it against SHA256SUMS, make it executable, and put it on your PATH.

Terminal window
base=https://downloads.alertavuln.com/v0.3.0
curl -sSLo alertavuln "$base/alertavuln-linux-amd64" # or -{linux,darwin}-{amd64,arm64}
curl -sSLo SHA256SUMS "$base/SHA256SUMS"
sha256sum --check --ignore-missing SHA256SUMS
chmod +x alertavuln && sudo mv alertavuln /usr/local/bin/
alertavuln --version # v0.3.0

Windows: download alertavuln-windows-amd64.exe, verify against SHA256SUMS, rename to alertavuln.exe, and put it on your PATH. Tip: many people alias the binary to av.

Changes since v0.2.0

  • feat(cli): sast scan with auto-downloaded, checksum-verified engines + findings upload
  • fix(cli): drop the dependency-vuln pass from local scans - dependency CVEs are core’s job
  • feat(cli): auto-detect repo / ref / commit from git for SAST uploads
  • feat(cli): sast server-scan + org-key access to a project’s git sources
  • feat(sast): licence scanning as a dedicated License category
  • feat(cli): pull SAST results via sast findings / sast jobs + MCP tools
  • fix(cli): collapse + cap the SAST finding message so the findings table stays aligned

v0.2.0

Released 2026-06-21. Notes: https://github.com/BlackOpsSolutions/alertavuln-cli/releases/tag/v0.2.0

v0.1.0

Released 2026-06-02. Notes: https://github.com/BlackOpsSolutions/alertavuln-cli/releases/tag/v0.1.0