Skip to content

CLI reference

The vulnapi CLI covers API security scanning, discovery, and JWT utilities.

Terminal window
vulnapi <command> [flags]
vulnapi --help
vulnapi version

All commands exit 0 on success and non-zero on error.

FlagDescription
--sqa-opt-outOpt out of anonymous usage statistics and crash reporting
-h, --helpShow help for any command

All scan and discover commands share these flags. HTTP client flags follow the same conventions as curl.

FlagDefaultDescription
--rate <rate>Request rate limit (e.g. 10/s, 1/m)
-x, --proxy <url>Proxy URL for all requests
-H, --header <header>Header to include in requests (repeatable)
-b, --cookie <cookie>Cookie to include in requests (repeatable)
-u, --user <user:pass>Username and password for HTTP Basic authentication
--basicUse HTTP Basic Auth (use with -u)
--digestUse HTTP Digest Auth (use with -u)
--scans <scan-id>Run only specific scans (repeatable; supports wildcards like jwt.*)
--exclude-scans <scan-id>Exclude specific scans (repeatable)
--report-format <format>tableOutput format: table, json, yaml
--report-transport <transport>fileReport transport: file, http
--report-file <path>File path to write the report to
--report-url <url>URL to send the report to (when --report-transport http)
--no-progressfalseDisable the progress bar
--severity-threshold <score>1.0CVSS threshold above which output is also written to stderr

Deprecated: --rate-limit (-r) was replaced by --rate. The old flag is still accepted as an alias.

When at least one finding has a CVSS score above --severity-threshold, VulnAPI writes output to stderr in addition to stdout. This causes || exit 1 patterns and CI/CD failure checks to trigger automatically. The default threshold is 1.0, meaning any finding with CVSS > 1.0 triggers stderr output.