Skip to main content
The VulnScan CLI provides the same core scanning engine as the Web UI. Use it for automation, scheduled jobs, CI/security pipelines, repeatable analyst workflows, offline preparation, and scripted report export. For interactive triage and team collaboration, use the Web UI first and then automate stable workflows with the CLI.

Command Overview

CommandPurpose
activateActivate a license key or offline activation file.
licenseShow current license status and limits.
fingerprintPrint the host identifier for offline activation.
deactivateRelease the license activation from the current machine.
webStart the Web UI server.
scanRun a vulnerability scan and export CSV, JSON, or PDF.
subdomainEnumerate subdomains for a domain.
prep-offlinePrepare scanner artifacts and vulnerability intelligence for restricted environments.
updateUpdate the VulnScan application and data where supported.
versionPrint version information.

Global Flags

FlagDescription
-c, --configPath to the configuration file. Default: ./configs/default.yaml.
--log-levelLog level: debug, info, warn, or error.
-v, --verboseEnable verbose output.
Use the same configuration file for Web UI and CLI workflows when CLI scan results should appear in the same workspace database.

Activate

Online activation: 
vulnscan activate --license CYSTACK-XXXX-XXXX-XXXX-XXXX
Offline activation: 
vulnscan fingerprint
vulnscan activate --file activation.dat
Flags:
FlagDescription
--licenseLicense key supplied by CyStack.
--fileOffline activation file supplied by CyStack.
Run vulnscan license after activation to verify target scope, expiration, activation count, and feature availability.

License, Fingerprint, and Deactivation

Show license status: 
vulnscan license
Print the host identifier: 
vulnscan fingerprint
Deactivate the current machine: 
vulnscan deactivate
Deactivate before permanently moving VulnScan to another host so the activation can be reused according to the license policy.

Start the Web UI

Start on the default local address: 
vulnscan web
Bind to a shared interface and set the data directory: 
vulnscan web --bind 0.0.0.0:8080 --data-dir /var/lib/cystack-vulnscan
Flags:
FlagDescription
--bindAddress and port for the Web UI server.
--data-dirWorkspace data directory for database, reports, license state, and runtime files.
On first run, open the printed URL and create the initial administrator account.

Scan

The scan command runs discovery, fingerprinting, vulnerability detection, enrichment, deduplication, risk scoring, persistence, and report export.

Scan One Target

vulnscan scan --target https://app.acme.com --output ./reports --format json,csv --lang en

Scan Multiple Targets

vulnscan scan --target https://app.acme.com --target https://api.acme.com --output ./reports --format json,csv

Scan From a Target File

Create targets.txt: 
https://app.acme.com
https://api.acme.com
203.0.113.21
203.0.113.0/28
Run: 
vulnscan scan --target-file ./targets.txt --output ./reports --format json,csv

Include Subdomains

vulnscan scan --target acme.com --include-subdomains --output ./reports --format json,csv
Use this for licensed root domains where you want broader external attack-surface coverage.

Authenticated Web Scan

Cookie-based session: 
vulnscan scan --target https://portal.acme.com --cookie "session=REDACTED; tenant=acme" --output ./reports --format json,csv
Bearer token or API key: 
vulnscan scan --target https://api.acme.com -H "Authorization: Bearer REDACTED" -H "X-Tenant: acme" --output ./reports --format json,csv
HTTP Basic Auth: 
vulnscan scan --target https://staging.acme.com --basic-auth "scanner:REDACTED" --output ./reports --format json,csv
Use dedicated test accounts and avoid personal administrator sessions unless your assessment policy explicitly allows them.

Generate Reports

CSV and JSON: 
vulnscan scan --target https://app.acme.com --output ./reports --format csv,json
PDF with English labels: 
vulnscan scan --target https://app.acme.com --output ./reports --format pdf --lang en
PDF with Vietnamese labels where supported: 
vulnscan scan --target https://app.acme.com --output ./reports --format pdf --lang vi

Scan Flags

FlagDescription
--targetTarget IP, CIDR, range, domain, or URL. Repeatable.
--target-fileFile containing one target per line.
--include-subdomainsDiscover and include subdomains for domain targets.
--cookieCookie string used for authenticated web scanning.
--basic-authHTTP Basic Auth credentials in user:password format.
-H, --headerCustom HTTP header. Repeatable.
-o, --outputOutput directory for report files.
--formatReport format list: json, csv, pdf.
--langReport language: en or vi.

Subdomain Discovery

Enumerate subdomains: 
vulnscan subdomain --target acme.com
Return JSON: 
vulnscan subdomain --target acme.com --json
Flags:
FlagDescription
--targetRoot domain to enumerate.
--jsonOutput discovery results as JSON.
Use subdomain discovery before broad scans when you need to understand scope and target count.

Offline Preparation

Prepare scanner artifacts and vulnerability intelligence data for offline or pre-baked environments: 
vulnscan prep-offline
Run this before moving an installation package into a restricted network. Offline deployments still need a valid license and update process.

Update and Version

Print version: 
vulnscan version
Update VulnScan: 
vulnscan update
Follow your organization’s change-management process before updating production scanners.

Automation Patterns

Nightly External Scan

vulnscan scan --target-file ./production-targets.txt --include-subdomains --output ./nightly-reports --format json,csv --lang en

CI Security Gate

vulnscan scan --target https://staging.acme.com -H "Authorization: Bearer REDACTED" --output ./ci-reports --format json --log-level warn

Vietnamese Customer Report

vulnscan scan --target https://customer-portal.acme.com --output ./customer-report --format pdf --lang vi

CLI Quality Checklist

  • Use licensed targets only.
  • Keep the CLI configuration aligned with the Web UI workspace when data consistency is required.
  • Prefer target files for repeatable automation.
  • Use dedicated test credentials for authenticated scans.
  • Store reports in a controlled output directory.
  • Use JSON for integrations and CSV for remediation tracking.
  • Review high-severity results in the Web UI when collaborative triage is needed.