CLI reference
The vulnapi CLI covers API security scanning, discovery, and JWT utilities.
scan curl Scan a single API endpoint using curl-style options.
scan openapi Scan all endpoints defined in an OpenAPI specification.
scan graphql Scan a GraphQL endpoint.
discover api Discover well-known paths and technology fingerprints for an API.
discover domain Discover API endpoints across common subdomains.
jwt generate Generate a new JWT from an existing token with a different algorithm or key.
serve Start the VulnAPI HTTP server in REST API mode.
Global usage
Section titled “Global usage”vulnapi <command> [flags]vulnapi --helpvulnapi versionAll commands exit 0 on success and non-zero on error.
Global flags
Section titled “Global flags”| Flag | Description |
|---|---|
--sqa-opt-out | Opt out of anonymous usage statistics and crash reporting |
-h, --help | Show help for any command |
Common flags
Section titled “Common flags”All scan and discover commands share these flags. HTTP client flags follow the same conventions as curl.
| Flag | Default | Description |
|---|---|---|
--rate <rate> | “ | Request rate limit (e.g. 10/s, 1/m) |
-x, --proxy <url> | “ | Proxy URL for all requests |
-H, --header <header> | “ | Header to include in requests (repeatable) |
-b, --cookie <cookie> | “ | Cookie to include in requests (repeatable) |
-u, --user <user:pass> | “ | Username and password for HTTP Basic authentication |
--basic | “ | Use HTTP Basic Auth (use with -u) |
--digest | “ | Use HTTP Digest Auth (use with -u) |
--scans <scan-id> | “ | Run only specific scans (repeatable; supports wildcards like jwt.*) |
--exclude-scans <scan-id> | “ | Exclude specific scans (repeatable) |
--report-format <format> | table | Output format: table, json, yaml |
--report-transport <transport> | file | Report transport: file, http |
--report-file <path> | “ | File path to write the report to |
--report-url <url> | “ | URL to send the report to (when --report-transport http) |
--no-progress | false | Disable the progress bar |
--severity-threshold <score> | 1.0 | CVSS threshold above which output is also written to stderr |
Deprecated:
--rate-limit(-r) was replaced by--rate. The old flag is still accepted as an alias.
Exit behaviour
Section titled “Exit behaviour”When at least one finding has a CVSS score above --severity-threshold, VulnAPI writes output to stderr in addition to stdout. This causes || exit 1 patterns and CI/CD failure checks to trigger automatically. The default threshold is 1.0, meaning any finding with CVSS > 1.0 triggers stderr output.