Skip to content

CLI reference

The AlertaVuln CLI scripts everything the web app can do - project setup, alert triage, package vetting, local code scanning, and CI gating - against the same server-side intelligence.

The binary ships as alertavuln; av is the common alias - they are interchangeable in every example. Install it with the one-liners on the install page.

Commands that talk to the AlertaVuln API require a session - run av login first. av sast scan is the notable exception: it runs fully locally and needs no login unless you pass --project to upload the findings.

Command Description
av login Sign in through your web browser; the CLI receives the session token over a one-time localhost callback
av logout Clear the stored session token
av whoami Show the signed-in user and the API endpoint in use
Command Description
av alerts List a project’s vulnerability alerts with a RED / YELLOW / GREEN summary line
av alerts get Show full detail for a single alert: status, reasoning, CVE data, and matched packages
av alerts ack Acknowledge an alert, optionally recording a note
av exposure Blast-radius lookup: list every project in your organisation with an alert for a given CVE
Command Description
av check Pre-flight a single package coordinate for known vulnerabilities before you add it
av health Show package health for a project: deprecated, unmaintained, and updates-available packages
av techstack list List the packages AlertaVuln tracks for a project
av techstack add Add a package to a project’s tech stack
av techstack update Update a tech-stack item in place
av techstack remove Remove a package from a project’s tech stack
av techstack sync Reconcile a project’s tech stack from a parsed dependency manifest
av sbom export Export a project’s SBOM (CycloneDX, optionally with VEX) - Enterprise
Command Description
av sast scan Scan a local path with the configured engines and tier every finding RED / YELLOW / GREEN
av sast server-scan Clone and scan a project’s connected repos on AlertaVuln’s infrastructure - Enterprise, quota-metered
av sast findings List the consolidated SAST findings the server holds for a project
av sast jobs Show a project’s server-side scan-job history
Command Description
av project list List all projects
av project create Create a new project
av project get Show project details as JSON
av project delete Delete a project
av repo list List the git repos attached to a project as scan sources
av repo get Show repo details as JSON
av repo create Add a git repo as a scan source (a scan is queued immediately)
av repo rescan Trigger a rescan of an existing repo
av repo delete Remove a repo from a project
av org list List the organisations you belong to, marking the active one
av org get Show the currently active organisation
av org switch Switch active organisation (issues a new token scoped to it)
av org members List members of the active organisation
av org invites List pending invites for the active organisation
av org audit Show the organisation audit log
av webhook list List webhook alert destinations for a project
av webhook get Show webhook details as JSON
av webhook create Create a webhook destination (Slack, Teams, Discord, Google Chat, or generic)
av webhook delete Delete a webhook
av webhook test Send a test alert to a webhook
Flag Default Description
--api-url https://alertavuln.com API base URL for this invocation; available on every command, overrides the ALERTAVULN_API_URL environment variable
--help, -h - Show help for any command
--version - Print the CLI version (av --version)

The API endpoint is resolved per invocation and never persisted - see Configuration for the full precedence rules.

Commands print human-readable tables by default. List commands lead with a summary line that tallies results by status - REDYELLOWGREEN - before the per-row detail.

  • --json prints the raw API JSON to stdout instead of a table. Available on av alerts, av alerts get, av check, av exposure, av health, av org members, av org invites, av org audit, av sast findings, and av sast jobs.
  • av sast scan uses --format table|json rather than --json.
  • --export <path> writes the output to disk instead of stdout: a standalone HTML report by default, or a raw JSON file when combined with --json. Available on av alerts, av health, av sast findings, and av sast jobs. Pass a filename with an extension to write exactly there; pass a directory and the CLI names the file after the resource (for example alerts.html).
  • av project get, av repo get, and av webhook get always emit JSON - they are detail lookups meant for scripting.
Code Meaning
0 The command succeeded
1 Any failure: API or auth error, invalid flags, or a --fail-on gate tripping in av sast scan

Errors are printed to stderr prefixed with error:.