Vuls — Agent-less Vulnerability Scanner for Linux and Containers

Introduction

Vuls is an agent-less vulnerability scanner that connects to Linux and FreeBSD servers via SSH, inventories installed packages, and cross-references them against NVD, OVAL, and distro-specific advisory databases. It detects unpatched CVEs without installing agents on target hosts, making it practical for scanning large fleets with minimal operational overhead.

What Vuls Does

• Scans remote servers via SSH without installing any agent software on targets
• Correlates installed OS packages and application libraries against NVD, OVAL, and vendor advisories
• Detects vulnerabilities in containers by scanning Docker images and running containers
• Supports scanning application dependencies (WordPress plugins, Python packages, Node modules)
• Generates prioritized reports with CVSS scores, affected packages, and remediation guidance

Architecture Overview

Vuls consists of a scanner, a report generator, and a vulnerability database fetcher. The scanner SSHes into targets, runs package manager queries (dpkg, rpm, pkg), and collects installed versions. The fetcher downloads and indexes CVE data from NVD, OVAL, Debian/Ubuntu/Red Hat advisories into a local database. The report engine matches installed versions against known vulnerable ranges and produces JSON, HTML, or terminal output with severity rankings.

Self-Hosting & Configuration

• Install the single Go binary; no runtime dependencies beyond SSH access to targets
• Configure targets in config.toml with SSH connection details and optional sudo settings
• Fetch vulnerability databases with vuls fetch before first scan (supports incremental updates)
• Schedule scans via cron and pipe results to Slack, email, or webhook notifications
• Use VulsRepo (companion web UI) to browse historical scan results and track remediation progress

Key Features

• Agent-less scanning requires only SSH access and read permissions on package databases
• Multi-database correlation (NVD, OVAL, Debian, Ubuntu, Red Hat, Amazon Linux, SUSE)
• Container scanning for Docker images without running them
• CVSS-based severity ranking with exploitability indicators from CISA KEV catalog
• Integration with Slack, email, Syslog, and custom webhooks for alerting

Comparison with Similar Tools

• Trivy — scans container images and filesystems with bundled database; Vuls focuses on live server scanning via SSH
• OpenVAS — full vulnerability assessment suite with active network probing; Vuls is lighter and package-focused without intrusive scanning
• Qualys/Nessus — commercial vulnerability management platforms; Vuls is free, open-source, and self-hosted
• OSV-Scanner — focused on open-source dependency vulnerabilities; Vuls covers both OS packages and application dependencies

FAQ

Q: Does Vuls require root access on scanned servers? A: No. It needs read access to package manager databases. Sudo is optional and only needed for specific advanced checks like changelog parsing.

Q: How often should I update the vulnerability databases? A: Daily fetches are recommended. NVD and vendor advisories publish new CVEs continuously, and stale databases will miss recent disclosures.

Q: Can Vuls scan Windows servers? A: No. Vuls targets Linux, FreeBSD, and their container ecosystems. For Windows vulnerability scanning, consider tools like Windows Update or commercial solutions.

Q: How does Vuls handle false positives? A: Vuls matches exact package versions against advisory data. False positives are rare but can occur with backported patches; use distro-specific OVAL data to minimize them.

Sources

• https://github.com/future-architect/vuls
• https://vuls.io/