The AlertaVuln CLI scripts everything the web app can do - project setup,
alert triage, package vetting, local code scanning, and CI gating - against
the same server-side intelligence.
The binary ships as alertavuln; av is the common alias - they are
interchangeable in every example. Install it with the one-liners on the
install page.
Commands that talk to the AlertaVuln API require a session - run
av login first. av sast scan
is the notable exception: it runs fully locally and needs no login unless you
pass --project to upload the findings.
Commands print human-readable tables by default. List commands lead with a
summary line that tallies results by status -
REDYELLOWGREEN - before the per-row detail.
--json prints the raw API JSON to stdout instead of a table. Available
on av alerts, av alerts get, av check, av exposure, av health,
av org members, av org invites, av org audit, av sast findings, and
av sast jobs.
av sast scan uses --format table|json rather than --json.
--export <path> writes the output to disk instead of stdout: a
standalone HTML report by default, or a raw JSON file when combined with
--json. Available on av alerts, av health, av sast findings, and
av sast jobs. Pass a filename with an extension to write exactly there;
pass a directory and the CLI names the file after the resource (for
example alerts.html).
av project get, av repo get, and av webhook get always
emit JSON - they are detail lookups meant for scripting.