DEV.co
Open-Source Security · future-architect

vuls

Vuls is an agent-less vulnerability scanner written in Go that detects security issues across Linux, FreeBSD, containers, and other environments. It pulls from multiple vulnerability databases (NVD, OVAL, security advisories) and can run without root privileges or SSH in certain modes, making it suitable for continuous scanning in CI/CD pipelines.

Source: GitHub — github.com/future-architect/vuls
12.2k
GitHub stars
1.2k
Forks
Go
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryfuture-architect/vuls
Ownerfuture-architect
Primary languageGo
LicenseGPL-3.0 — OSI-approved
Stars12.2k
Forks1.2k
Open issues84
Latest releasev0.39.3 (2026-06-09)
Last updated2026-07-07
Sourcehttps://github.com/future-architect/vuls

What vuls is

Agent-less Go application that performs vulnerability assessment by querying installed packages against NVD, OVAL, and distribution-specific security advisories. Supports multiple scan modes (remote SSH, local, server/HTTP), can detect non-OS package vulnerabilities via lockfiles and CPE scanning, and integrates with GitHub and OWASP Dependency-Check.

Quickstart

Get the vuls source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/future-architect/vuls.gitcd vuls# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Continuous vulnerability scanning in CI/CD

Integrates easily into automated pipelines without agent installation. Fast scan mode requires no root or dependencies, enabling daily vulnerability checks with minimal server load.

Multi-OS fleet vulnerability audits

Single Vuls server can scan heterogeneous Linux/FreeBSD/Windows/macOS infrastructure via SSH or local commands. Supports offline scanning for air-gapped environments (CentOS, Debian, RHEL, Ubuntu, etc.).

Application dependency and WordPress vulnerability detection

Extends beyond OS packages to detect vulnerabilities in programming language libraries (via lockfile scanning), WordPress plugins/themes, and network devices. Integrates with GitHub security alerts and Exploit-DB for PoC tracking.

Implementation considerations

  • Choose scan mode based on environment: Fast Scan (no root, no agents) for minimal overhead; Fast Root Scan for process-level detection; Remote (SSH-based) for centralized management; Server/HTTP for air-gapped targets.
  • Plan vulnerability database refresh strategy: offline mode requires pre-downloaded DB for CentOS, Debian, RHEL, Fedora, Ubuntu, Oracle Linux. Real-time scanning requires internet access to NVD, OVAL, and advisory feeds.
  • Integrate SSH key management and network connectivity between Vuls scanner and remote targets; Server mode eliminates SSH but requires HTTP/HTTPS ingress from target systems.
  • Configure output routing (email, Slack, TUI Viewer, Web UI via VulsRepo) and retention policy for scan results; no built-in patch management, so coordinate findings with separate change management workflow.
  • Validate OS/distribution support: Alpine, Amazon Linux, CentOS, Alma, Rocky, Debian, RHEL, openSUSE, Fedora, Ubuntu, FreeBSD, Windows, macOS are listed; test with your specific OS versions before production rollout.

When to avoid it — and what to weigh

  • You need automated remediation — Vuls explicitly does not update vulnerable packages; it only detects and reports. Requires separate orchestration for patch deployment.
  • GPL-3.0 incompatible with your license strategy — GPL-3.0 requires derivative works to be open-source. If you cannot distribute modifications under GPL-3.0, commercial or proprietary embedding is problematic without seeking legal review.
  • You require pre-authorization scanning of external cloud infrastructure — While Vuls works well with AWS without pre-authorization per the README, integration with other cloud providers or strict access control policies may require verification.
  • Real-time, zero-latency vulnerability alerting is critical — Vuls relies on periodic scans (CRON-based); it is not designed for streaming real-time threat detection or immediate anomaly response.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). Copyleft license: derivative works and modifications must be distributed under GPL-3.0, with source code made available.

Commercial use of unmodified Vuls is permissible under GPL-3.0. However, if you modify, embed, or integrate Vuls into proprietary products, you must distribute the modified source under GPL-3.0. Internal business use of unmodified software is allowed. Requires legal review before embedding in closed-source systems or SaaS offerings.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Vuls is a scanning and detection tool, not a defense mechanism. No exploit execution or active remediation. Considers: (1) Scanner identity and SSH keys require protection; (2) Scan results contain sensitive asset inventory and vulnerability data—protect output and logs; (3) Agent-less scanning reduces attack surface on targets compared to agent-based alternatives; (4) Offline mode isolates scanner from internet in air-gapped networks; (5) No security audit or formal security testing data provided in README. Requests for vulnerability disclosures or security posture should be directed to project maintainers.

Alternatives to consider

OpenVAS

Full-featured vulnerability assessment platform with active scanning, agent-based and agent-less modes, and authenticated/unauthenticated scans. Heavier resource footprint; different license (AGPL-3.0 core, some modules proprietary). Better for comprehensive IT asset discovery.

Trivy (Aqua Security)

Lightweight, container-focused vulnerability scanner (Apache 2.0 license) that excels at scanning container images, filesystems, and application dependencies. Simpler CI/CD integration, broader OS/arch support. Less suitable for OS-level system scanning at scale.

Qualys VMDR / Rapid7 Nexpose

Cloud-managed SaaS vulnerability management platforms with real-time threat intelligence, automated remediation workflows, and compliance reporting. Proprietary, recurring cost, but eliminate local infrastructure and database management overhead.

Software development agency

Build on vuls with DEV.co software developers

Vuls is ideal for teams seeking lightweight, agent-less vulnerability detection integrated into CI/CD pipelines. Confirm GPL-3.0 licensing aligns with your compliance requirements, then pilot Fast Scan mode in a non-production environment to validate OS support and integration with your existing security stack.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

vuls FAQ

Does Vuls automatically patch vulnerable packages?
No. Vuls detects and reports vulnerabilities only. Patch deployment must be handled separately via your package manager, configuration management, or orchestration tools.
Can I use Vuls without SSH access to target servers?
Yes. Vuls offers three alternatives: (1) Local Scan mode—run Vuls directly on each target; (2) Server mode—targets send vulnerability data via HTTP to a central Vuls server; (3) Fast Scan mode—no root or agent required, minimal output.
Is Vuls suitable for CI/CD pipelines?
Yes. Vuls integrates well with CI/CD due to agent-less architecture, fast scan mode, JSON output, and ability to run offline. No pre-authorization needed on AWS. Can be scheduled daily or per-commit.
What vulnerability databases does Vuls use?
NVD, JVN (Japanese), OVAL (Red Hat, Debian, Ubuntu, SUSE, Oracle Linux), security advisories (Alpine, Red Hat, Debian, Ubuntu), package manager commands (yum, zypper, pkg-audit), PoC sources (Exploit-DB, Metasploit, MITRE ATT&CK), CISA KEV, and wpscan for WordPress.

Work with a software development agency

Need help beyond evaluating vuls? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Evaluate Vuls for Your Infrastructure

Vuls is ideal for teams seeking lightweight, agent-less vulnerability detection integrated into CI/CD pipelines. Confirm GPL-3.0 licensing aligns with your compliance requirements, then pilot Fast Scan mode in a non-production environment to validate OS support and integration with your existing security stack.