v2.0.2
██╗   ██╗██╗   ██╗██╗     ███╗   ██╗██╗  ██╗██╗   ██╗███╗   ██╗████████╗███████╗██████╗
██║   ██║██║   ██║██║     ████╗  ██║██║  ██║██║   ██║████╗  ██║╚══██╔══╝██╔════╝██╔══██╗
██║   ██║██║   ██║██║     ██╔██╗ ██║███████║██║   ██║██╔██╗ ██║   ██║   █████╗  ██████╔╝
╚██╗ ██╔╝██║   ██║██║     ██║╚██╗██║██╔══██║██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██╔══██╗
 ╚████╔╝ ╚██████╔╝███████╗██║ ╚████║██║  ██║╚██████╔╝██║ ╚████║   ██║   ███████╗██║  ██║
  ╚═══╝   ╚═════╝ ╚══════╝╚═╝  ╚═══╝╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═╝

Your dependencies have secrets. VulnHunter finds them.

Offline vulnerability scanner with AI-powered triage.
No cloud, no API calls, no data leaves your machine.

Get Started View on GitHub
scroll

<features> Why VulnHunter?

Offline First

Your code never leaves your machine. All scanning happens locally against a pre-built vulnerability database. Air-gapped environments welcome.

AI-Powered Triage

Local LLM analysis via Ollama. The AI reads your actual source code, correlates with CVE data, and tells you exactly where you're exposed.

Multi-Ecosystem

Python, Node.js, Go, Rust, Java, PHP, Ruby. VulnHunter parses lockfiles, manifests, and dependency trees across 7 ecosystems and 15+ file formats.

SARIF Export

Generate SARIF 2.1.0 reports for GitHub Code Scanning integration and VS Code SARIF Viewer. Drop findings directly into your workflow.

Secure by Design

API keys stored in your OS keyring, never in plaintext. No secrets in logs, no data exfiltration. Built by a cybersecurity professional.

Transitive Dependencies

Goes beyond direct deps. Integrates with pipdeptree, npm, mvn, composer, and go to scan the full dependency tree for hidden vulnerabilities.

<quickstart> Up and Running in 60 Seconds

Installation
$ pip install vulnhunter
Successfully installed vulnhunter-2.0.0
 
$ vulnhunter init
VulnHunter v2.0.2
Checking Ollama... ✓
Downloading database... ✓
Setup complete!
First Scan
$ vulnhunter scan .
Scanning dependencies...
Found: requirements.txt, package-lock.json
 
Scan Results
CRITICAL 2
HIGH 5
MEDIUM 3
LOW 1

<examples> Usage Examples

Basic Scan

Point VulnHunter at any project directory. It auto-detects lockfiles and manifests across all supported ecosystems.

basic-scan
$ vulnhunter scan /path/to/project

AI-Powered Triage

Add --ai-triage to let a local LLM analyze each vulnerability against your actual codebase. It identifies which CVEs are actually exploitable in your context.

ai-triage
$ vulnhunter scan . --ai-triage --model llama3:8b
AI Triage ━━━━━━━━━━━━━━━━ 100%
┃ CVE-2024-1234 │ CRITICAL → LOW (not reachable in your code)
┃ CVE-2024-5678 │ HIGH → HIGH (endpoint /api/auth exposed)

SARIF Export

Export results in SARIF 2.1.0 format for GitHub Code Scanning or VS Code SARIF Viewer. Integrates directly into your CI/CD pipeline.

sarif-export
$ vulnhunter scan . --format sarif -o results.sarif
✓ SARIF report saved to results.sarif

Database Management

Download the pre-built database from GitHub Releases or build your own from OSV and NVD sources. Auto-updated weekly via GitHub Actions.

database
$ vulnhunter db download
Downloading from DevGreick/VulnHunter releases...
✓ Database saved to ~/.vulnhunter/vulnhunter.db
 
$ vulnhunter db update --all --source osv
Fetching OSV data for all ecosystems...
✓ 248,391 vulnerabilities indexed

Configuration

Manage settings, API keys, and AI preferences. NVD keys are stored securely in your OS keyring, never in plaintext config files.

config
$ vulnhunter config
Current Configuration
AI Triage enabled
Model llama3:8b
NVD API Key ✓ saved
 
$ vulnhunter config set-nvd-key
NVD API key: ********
✓ NVD API key saved securely in system keyring.

CI/CD Integration

Add VulnHunter to your GitHub Actions pipeline. Fail builds on critical vulnerabilities and upload SARIF to GitHub Security tab.

.github/workflows/security.yml
- name: Scan dependencies
run: |
pip install vulnhunter
vulnhunter scan . --format sarif -o results.sarif
 
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif

<ecosystems> Supported Ecosystems

Ecosystem Files Detected Transitive Deps
Python requirements.txt Pipfile.lock poetry.lock uv.lock pipdeptree
Node.js package-lock.json yarn.lock pnpm-lock.yaml npm ls
Go go.sum go.mod go mod graph
Rust Cargo.lock Built-in
Java pom.xml build.gradle mvn dependency:tree
PHP composer.lock composer show
Ruby Gemfile.lock bundle list

<ai-triage> AI-Powered Vulnerability Triage

How It Works

01

Scan

VulnHunter identifies vulnerable dependencies in your project.

02

Analyze

The local LLM reads your source code and correlates it with CVE details.

03

Triage

Each vulnerability gets a contextual risk assessment: is it actually reachable in your code?

04

Prioritize

Focus on what matters. Stop wasting time on CVEs that don't affect you.

Recommended Models

Light phi3 3.8B

Basic triage. Low resource usage.

Recommended mistral 7B

Best balance of speed and accuracy.

Full llama3 8B

Deep analysis. Best results.

AI Triage Output
$ vulnhunter scan . --ai-triage
Scanning dependencies... found 3 vulnerabilities
Running AI triage with mistral...
 
━━━ AI Triage Results ━━━
 
■ CVE-2024-3651 | idna 3.6
Severity: HIGH → HIGH (confirmed)
The application processes user-supplied URLs in
api/handlers.py:42 using idna.encode() directly.
This is exploitable via crafted internationalized
domain names.
Fix: upgrade idna to ≥3.7
 
■ CVE-2024-1234 | requests 2.31.0
Severity: CRITICAL → LOW (not reachable)
The vulnerable code path requires SOCKS proxy
usage. No SOCKS configuration found in codebase.
Risk is minimal in current context.
 
■ CVE-2024-5678 | flask 2.3.2
Severity: MEDIUM → MEDIUM (conditional)
Debug mode detected in config.py:8. Vulnerability
is exploitable only if DEBUG=True in production.
Fix: ensure DEBUG=False in production config

<SDK> Python SDK

Use VulnHunter as a Python library to integrate vulnerability scanning into your own tools and workflows.

Scan Dependencies

The analyze() function takes a database and a list of dependencies, returning a ScanResult with all matched vulnerabilities sorted by severity.

analyze.py
from vulnhunter.db.store import VulnDB
from vulnhunter.models import Dependency, Ecosystem
from vulnhunter.analyzer import analyze
 
db = VulnDB()
deps = [Dependency(name="requests", version="2.31.0", ecosystem=Ecosystem.PYPI)]
result = analyze(db, deps)
 
for v in result.vulnerabilities:
print(f"{v.vuln_id} [{v.severity.value}] {v.name}")
db.close()

AI Triage

The TriageEngine sends each vulnerability to a local Ollama LLM along with code references found by CodeAnalyzer, returning contextual risk assessments.

triage.py
from pathlib import Path
from vulnhunter.ai.triage import TriageEngine
 
engine = TriageEngine(model="mistral", language="en")
vulns = [{
"id": "CVE-2024-3651", "package": "idna",
"version": "3.6", "severity": "HIGH",
"summary": "DoS via resource consumption",
"ecosystem": "PyPI", "fixed_version": "3.7",
}]
results = engine.triage_all(vulns, Path("."))
for item in results:
t = item["triage"]
print(f"{item['vuln']['id']}: {t['real_risk']}")

Export Reports

Use render_xlsx() to generate styled Excel reports, or access the ScanResult model directly for custom integrations.

export.py
from pathlib import Path
from vulnhunter.output.xlsx_report import render_xlsx
 
render_xlsx(result, Path("reports/scan.xlsx"))
 
for v in result.vulnerabilities:
if v.severity.value == "CRITICAL":
print(f"CRITICAL: {v.vuln_id} in {v.name} {v.version}")
Full SDK Documentation (Markdown)

<install> Installation

PyPI (recommended)

$ pip install vulnhunter

With uv (faster)

$ uv pip install vulnhunter

From Source

$ git clone https://github.com/DevGreick/VulnHunter.git
$ cd VulnHunter
$ uv venv .venv && source .venv/bin/activate
$ uv pip install -e .

Prerequisites

  • Python 3.8+ (Required)
  • Ollama (Optional) For AI triage. Download here
  • NVD API Key (Optional) Speeds up database updates. Free key