Runs wherever you build
The Vulnetix CLI is a single static Go binary — no runtime dependencies. Drop it into any CI/CD platform that runs a shell command. Supported platforms include:
GitHub Actions GitLab CI/CD Azure DevOps Jenkins CircleCI Bitbucket Pipelines Buildkite Travis CI Drone CI Tekton AWS CodeBuild Google Cloud Build Harness CI Codefresh TeamCity Bamboo Argo Workflows Woodpecker CI Gitea Actions Forgejo Actions Spacelift Semaphore CI Buddy Earthly Dagger Depot
Supported Architectures48+ platforms supported
Cross-compiled from Go with CGO_ENABLED=0 for maximum portability. No glibc dependency. Supports bare metal (no container required).
Linux
amd64 · arm64 · 386 · arm · ppc64le · ppc64 · s390x · riscv64 · loong64 · mips64 · mips64le
macOS
amd64 · arm64 (Apple Silicon)
Windows
amd64 · 386 · arm64 · arm
FreeBSD
amd64 · arm64 · 386 · arm
Other
android/arm64 · android/amd64 · ios/arm64 · netbsd/amd64 · openbsd/amd64 · js/wasm · wasip1/wasm
200+ tools. Zero lock-in.
If your tool outputs SARIF, CycloneDX, or SPDX, Vulnetix ingests it. Here is every tool we've confirmed, by category.
SAST — Static Application Security Testing
GitHub CodeQLSemgrepOpenGrepSnyk CodeSonarQubeSonarCloudCheckmarx OneOpenText FortifyCoverityVeracodeGoSecgovulncheckBearer CLIBanditBrakemanPMDESLintPuma Scan ProShiftLeft / Qwiet AIApiiroCycodezizmorMend SASTMegaLinterRust ClippyHadolintShellCheckMicrosoft Security DevOpsRoslyn AnalyzersBinskim42CrunchContrast SecuritySpotBugsFacebook InferDetektDevSkimFlawfindercppcheckPsalmPHPStanRuffTrunk CheckSecurity Code ScanNodejsscanInsiderAikido Security
SCA — Software Composition Analysis
Snyk Open SourceBlack DuckMend SCAFOSSAEndor LabsGemnasium / GitLabOWASP Dependency-CheckOSV ScannerDependabotnpm auditYarn CycloneDXcdxgen (OWASP)Sonatype Nexus IQAnchore GrypeAnchore SyftJFrog XrayOSS Review ToolkitScanCode ToolkitFOSSologyAmazon InspectorCheckmarx CxSCAOpenText DebrickedCoinbase SalusNowSecureParlaySocketPhylumRenovateRetire.jsDependency-TrackArnica
DAST — Dynamic Application Security Testing
OWASP ZAPNucleiBurp Suite42CrunchSpectralInvictiAcunetixNiktoWapitiArachniw3afBright SecurityStackHawkRapid7 AppSpiderQualys WASAptori
MAST — Mobile Application Security Testing
MobSFmobsfscanNowSecureQuixxiOstorlabAppknox
Container & Image Scanning
TrivySnyk ContainerGrype (Anchore)Syft (Anchore)Prisma CloudWizQualys QScannerDeepfence ThreatMapperChainguard apkoKubeClaritydocker-sbomDocker ScoutClairDockleAqua SecuritySysdig SecureFalcoTernKubescape
Cloud Security & CSPM
WizPrisma CloudOrca SecurityLaceworkAqua SecurityMicrosoft Defender for CloudMicrosoft Defender for DevOpsProwlerScoutSuiteCloudSploitSteampipeCloudQueryCrowdStrike FalconAWS Security Hub
IaC & Cloud Configuration
KICSCheckovTerrascantfsecSnyk IaCTemplateanalyzerTrivy IaCcfn-lintcfn-nagTerraform CompliancePulumi PolicyPikeRegula
Secret Scanning
GitleaksTruffleHogGitGuardiandetect-secretsGitHub Secret ScanningSemgrep SecretsTalismanWhispersCredScanBetterleaks
Network & Vulnerability Scanners
Nessus (Tenable)OpenVAS / GreenboneQualys VMDRRapid7 InsightVMNmapNexposeCrowdStrike Falcon SpotlightPentest-Tools.comIntruderShodan
Compilers, Linters & Code Quality
LLVM / ClangGCCRust ClippyCMakeRoslyn (.NET)Binskimgolangci-lintPylintRuffRuboCopBiomeStylelintSwiftLintktlintAndroid LintDetektCode Climatelintr
SBOM Generation
Anchore Syftcdxgen (OWASP)Microsoft SBOM ToolSPDX SBOM GeneratorTernDISTRO2SBOMCosign (Sigstore)CycloneDX CLICycloneDX Maven PluginCycloneDX Gradle PluginCycloneDX Node ModuleCycloneDX PythonCycloneDX PHP ComposerCycloneDX Rust CargoCycloneDX .NETCycloneDX Go ModuleCycloneDX Ruby GemDocker Scout SBOMGitHub SBOM Export
Compliance & Policy Engines
Open Policy Agent (OPA)GatekeeperKyvernoConftestRegulaDatreePolarisMITRE SAF
License Compliance
FOSSAOSS Review ToolkitScanCode ToolkitFOSSologyBlack DuckMend SCASW360ClearlyDefinedLicenseFinder
Fuzzing
AFL++libFuzzerOSS-FuzzHonggfuzzJazzerClusterFuzzAtherisBoofuzz
Pentest, Bug Bounty & Vulnerability Disclosure
PlexTracDradisFaradayGhostwriterAttackForgeHackerOneBugcrowdIntigritiYesWeHackSynackCobalt
Supported FormatsThree standards. Total coverage.
Vulnetix ingests the three dominant security data formats. If your tool produces SARIF, CycloneDX, or SPDX — it works out of the box.
SARIF — 50+ tools
Static Analysis Results Interchange Format. The Microsoft/GitHub standard for static analysis results. Native upload to GitHub Code Scanning, Azure DevOps, and SonarQube. Every major SAST, SCA, and IaC tool outputs SARIF.
GitHub Code ScanningAzure DevOpsSonarQube
CycloneDX — 30+ tools
OWASP SBOM Standard (v1.6). The security-first Software Bill of Materials standard from OWASP. Supports VEX (Vulnerability Exploitability eXchange), dependency tracking, license compliance, and supply chain transparency.
SBOMVEXSupply Chain
SPDX — 20+ tools
Linux Foundation SBOM Standard (v2.3). The ISO/IEC 5962 international standard for communicating software bill of materials. Compliance-focused, widely adopted in legal and regulatory contexts for license and provenance tracking.
ISO StandardComplianceLicense
Also supported: native Wiz findings format ingestion and the native SonarQube proprietary format.
QuickstartIntegrate in 5 minutes
Install the CLI, point it at your security reports, and push results in a single pipeline step. Works with every CI/CD platform that runs a shell command.
go install github.com/vulnetix/vulnetix@latest
Or install via the universal script, or run the container image:
curl -fsSL https://raw.githubusercontent.com/vulnetix/vulnetix/main/install.sh | sh # or: docker run --rm -v $(pwd):/workspace vulnetix/vulnetix:latest
- Single static Go binary — no runtime, no agents, no infrastructure changes
- Runs on Linux, macOS, Windows, FreeBSD and more — 48+ OS/architecture targets
- Ingests SARIF, CycloneDX, and SPDX from 200+ confirmed tools
- Drops into 26 CI/CD platforms — anything that runs a shell command
- One pipeline step uploads your security reports for centralized triage
See how your tools connect
Book a walkthrough with our team or get started for free today.