michaelsc44/vulnscope

# VulnScope Linux 系统的 CLI 漏洞扫描器。它会清点您的 OS、内核以及所有已安装的软件包，然后查询 [OSV.dev](https://osv.dev)、[NVD]() 和 [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) 以列出所有已知的 CVE。 结果会显示在丰富的交互式 Textual TUI 中，或者以 JSON/CSV/SARIF 格式通过管道输出，以便集成到 CI 中。 ## 功能特性 - **多生态系统清单**：dpkg、rpm、apk、pip、npm、cargo、docker - **漏洞来源**：OSV.dev（主要）、NVD API 2.0、CISA 已知被利用漏洞 - **交互式 TUI**：具有详情面板的可过滤/可搜索/可排序表格 - **对 CI 友好**：`--json`、`--csv`、`--sarif`、`--html` 输出模式；发现问题时退出代码为 1 - **本地 SQLite 缓存**：24 小时 TTL，避免重复扫描时频繁请求 API - **CISA KEV 高亮显示**：即时查看哪些漏洞正在野外被积极利用 ## 安装 ``` # 推荐：pipx（隔离安装） pipx install vulnscope # 或：pip pip install vulnscope # 或：clone + 可编辑安装 git clone https://github.com/michaelsc44/vulnscope.git cd vulnscope pip install -e . ``` ## 使用方法 ``` # 完整交互式 TUI 扫描 vulnscope # 非交互式表格输出 vulnscope scan --no-ui # 按严重程度过滤 vulnscope scan --no-ui --severity high # 机器可读输出 vulnscope scan --json | jq '.vulnerabilities[] | select(.severity == "critical")' vulnscope scan --csv > report.csv vulnscope scan --sarif > results.sarif # GitHub Advanced Security compatible vulnscope scan --html report.html # 仅清单（无 vuln lookup） vulnscope inventory # Cache 管理 vulnscope cache clear vulnscope cache info ``` ### CI / GitHub Actions ``` - name: Scan for vulnerabilities run: | pip install vulnscope vulnscope scan --sarif > results.sarif # exits 1 if vulnerabilities found - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif ``` ## 配置 创建 `~/.config/vulnscope/config.toml`： ``` [nvd] api_key = "" # Optional — free key at https://nvd.nist.gov/developers/request-an-api-key # Raises rate limit from 5/30s to 50/30s [scan] ecosystems = ["os", "deb", "rpm", "pypi", "npm", "cargo", "apk"] skip = [] # Ecosystems to skip docker_contents = false [cache] ttl_hours = 24 # Cache TTL in hours ``` 或通过环境变量： ``` export NVD_API_KEY=your-key-here ``` ## 架构 ``` vulnscope/ ├── cli.py # Click CLI entry point ├── scanner.py # Async pipeline orchestrator ├── matcher.py # Version comparison (semver, deb, rpm) ├── models.py # Dataclasses: InstalledPackage, Vulnerability, ScanResult ├── config.py # Config loading, platformdirs paths ├── inventory/ # System package collectors │ ├── os_info.py # /etc/os-release + uname │ ├── dpkg.py # Debian/Ubuntu │ ├── rpm.py # RHEL/Fedora/SUSE │ ├── apk.py # Alpine │ ├── pip_packages.py # Python packages │ ├── npm_packages.py # Node.js global │ ├── cargo_packages.py # Rust crates │ └── docker_images.py # Docker images ├── databases/ # Vulnerability data sources │ ├── osv.py # OSV.dev batch API │ ├── nvd.py # NVD API 2.0 + CPE queries │ ├── kev.py # CISA KEV catalog │ └── cache.py # SQLite cache ├── ui/ │ ├── app.py # Textual interactive TUI │ ├── tables.py # Rich non-interactive table │ └── detail_view.py # CVE detail panel └── export/ ├── json_export.py ├── csv_export.py ├── sarif_export.py # SARIF 2.1.0 └── html_export.py ``` ## 开发 ``` git clone https://github.com/michaelsc44/vulnscope.git cd vulnscope pip install -e ".[dev]" pytest tests/ -v ruff check vulnscope tests ``` ## 许可证 MIT — 请参阅 [LICENSE](LICENSE)

标签：CI/CD安全, CISA KEV, Claude, CVE检测, GPT, Llama, NVD, OSV, Python, SARIF, SBOM, Textual, TUI界面, Vercel, Web截图, 依赖扫描, 加密, 子域名枚举, 容器安全, 密码管理, 插件系统, 无后门, 无线安全, 模型提供商, 漏洞扫描器, 漏洞管理, 硬件无关, 系统安全, 终端用户界面, 计算机取证, 逆向工具, 配置审计