# Vuls — Agent-less Vulnerability Scanner for Linux and Containers

> An open-source, agent-less vulnerability scanner written in Go that detects known vulnerabilities in Linux, FreeBSD, containers, and application dependencies by correlating installed packages with multiple CVE databases.

## Install

Save in your project root:

# Vuls — Agent-less Vulnerability Scanner for Linux and Containers

## Quick Use
```bash
# Install via Go
go install github.com/future-architect/vuls/cmd/vuls@latest

# Fetch vulnerability databases
vuls fetch --nvd --oval --debian --ubuntu

# Configure a scan target
cat > config.toml << EOF
[servers.webserver]
host = "192.168.1.10"
user = "vuls-scan"
EOF

# Run scan and generate report
vuls scan && vuls report
```

## Introduction
Vuls is an agent-less vulnerability scanner that connects to Linux and FreeBSD servers via SSH, inventories installed packages, and cross-references them against NVD, OVAL, and distro-specific advisory databases. It detects unpatched CVEs without installing agents on target hosts, making it practical for scanning large fleets with minimal operational overhead.

## What Vuls Does
- Scans remote servers via SSH without installing any agent software on targets
- Correlates installed OS packages and application libraries against NVD, OVAL, and vendor advisories
- Detects vulnerabilities in containers by scanning Docker images and running containers
- Supports scanning application dependencies (WordPress plugins, Python packages, Node modules)
- Generates prioritized reports with CVSS scores, affected packages, and remediation guidance

## Architecture Overview
Vuls consists of a scanner, a report generator, and a vulnerability database fetcher. The scanner SSHes into targets, runs package manager queries (dpkg, rpm, pkg), and collects installed versions. The fetcher downloads and indexes CVE data from NVD, OVAL, Debian/Ubuntu/Red Hat advisories into a local database. The report engine matches installed versions against known vulnerable ranges and produces JSON, HTML, or terminal output with severity rankings.

## Self-Hosting & Configuration
- Install the single Go binary; no runtime dependencies beyond SSH access to targets
- Configure targets in `config.toml` with SSH connection details and optional sudo settings
- Fetch vulnerability databases with `vuls fetch` before first scan (supports incremental updates)
- Schedule scans via cron and pipe results to Slack, email, or webhook notifications
- Use VulsRepo (companion web UI) to browse historical scan results and track remediation progress

## Key Features
- Agent-less scanning requires only SSH access and read permissions on package databases
- Multi-database correlation (NVD, OVAL, Debian, Ubuntu, Red Hat, Amazon Linux, SUSE)
- Container scanning for Docker images without running them
- CVSS-based severity ranking with exploitability indicators from CISA KEV catalog
- Integration with Slack, email, Syslog, and custom webhooks for alerting

## Comparison with Similar Tools
- **Trivy** — scans container images and filesystems with bundled database; Vuls focuses on live server scanning via SSH
- **OpenVAS** — full vulnerability assessment suite with active network probing; Vuls is lighter and package-focused without intrusive scanning
- **Qualys/Nessus** — commercial vulnerability management platforms; Vuls is free, open-source, and self-hosted
- **OSV-Scanner** — focused on open-source dependency vulnerabilities; Vuls covers both OS packages and application dependencies

## FAQ
**Q: Does Vuls require root access on scanned servers?**
A: No. It needs read access to package manager databases. Sudo is optional and only needed for specific advanced checks like changelog parsing.

**Q: How often should I update the vulnerability databases?**
A: Daily fetches are recommended. NVD and vendor advisories publish new CVEs continuously, and stale databases will miss recent disclosures.

**Q: Can Vuls scan Windows servers?**
A: No. Vuls targets Linux, FreeBSD, and their container ecosystems. For Windows vulnerability scanning, consider tools like Windows Update or commercial solutions.

**Q: How does Vuls handle false positives?**
A: Vuls matches exact package versions against advisory data. False positives are rare but can occur with backported patches; use distro-specific OVAL data to minimize them.

## Sources
- https://github.com/future-architect/vuls
- https://vuls.io/

---
Source: https://tokrepo.com/en/workflows/asset-4dbf5097
Author: AI Open Source