Skip to content

Install the CLI

The CLI ships as a single binary named alertavuln; the installer also creates the conventional av alias - the two are interchangeable in every example. Every download is verified against the release’s published SHA-256 checksums before anything is installed.

Terminal window
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh

To pass options when piping, use sh -s --:

Terminal window
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh -s -- --version v0.3.0
install.sh (Linux/macOS) install.ps1 (Windows) Description
--version vX.Y.Z -Version vX.Y.Z Install a specific version. Default: latest from the published version.json
--with-mcp-router -WithMcpRouter Also install the AlertaVuln MCP router binary (mcp-router)
--dry-run -DryRun Resolve platform and version, print the URLs that would be used, and install nothing. Combined with a pinned version it performs no network I/O at all
- -NoPathUpdate Do not modify the user Path environment variable
-h, --help - Show the installer’s help
  1. Detects your platform. Linux and macOS on amd64 or arm64; Windows is amd64-only (ARM64 Windows runs the amd64 binary under emulation; 32-bit x86 is not supported).

  2. Resolves the version. Unless you pinned one, it fetches https://downloads.alertavuln.com/version.json and reads the latest pointer.

  3. Downloads the binary and the release’s SHA256SUMS file from that version’s directory in the release store.

  4. Verifies the SHA-256 checksum. A missing entry or a mismatch is a hard failure - nothing unverified is ever installed. The shell script refuses to run at all without sha256sum or shasum; the PowerShell script uses Get-FileHash.

  5. Installs the binary. On Linux/macOS it goes to ~/.local/bin/alertavuln (mode 0755, staged and atomically moved so a running binary can be replaced) with an av symlink beside it (a plain copy where symlinks are unavailable); the script warns if ~/.local/bin is not on your PATH. On Windows it goes to %LOCALAPPDATA%\Programs\AlertaVuln as alertavuln.exe plus an av.exe copy, and that directory is appended to your user Path unless you passed -NoPathUpdate.

  6. Optionally installs the MCP router. With --with-mcp-router / -WithMcpRouter, the mcp-router binary is downloaded, checksum-verified the same way, and installed alongside the CLI.

Binaries are served from Azure Blob Storage. Each release lives in its own immutable version directory - once published, the binaries and checksums for a version never change:

https://downloads.alertavuln.com/vX.Y.Z/alertavuln-<os>-<arch>[.exe]

with os one of linux, darwin, windows and arch one of amd64, arm64 (Windows is amd64-only - five CLI binaries per release). Each version directory also holds mcp-router-<os>-<arch>[.exe] for the same targets (releases after v0.3.0), the SHA256SUMS file covering every binary, and that version’s release notes as notes.md.

Download the binary and SHA256SUMS, verify, then put the binary on your PATH:

Terminal window
ver=v0.3.0
curl -fsSLO "https://downloads.alertavuln.com/$ver/alertavuln-linux-amd64"
curl -fsSLO "https://downloads.alertavuln.com/$ver/SHA256SUMS"
sha256sum --check --ignore-missing SHA256SUMS
chmod +x alertavuln-linux-amd64
mkdir -p ~/.local/bin && mv alertavuln-linux-amd64 ~/.local/bin/alertavuln

The container root serves a single mutable blob, version.json

  • the machine-readable pointer the install scripts use to resolve the latest release. Its schema is a stable contract for tooling:
Field Type Meaning
latest string Current release tag, vX.Y.Z
releasedAt string UTC release timestamp, ISO 8601 (YYYY-MM-DDTHH:MM:SSZ)
baseUrl string Download origin every url below is rooted at
platforms object One entry per published CLI target, keyed <os>-<arch>: linux-amd64, linux-arm64, darwin-amd64, darwin-arm64, windows-amd64
platforms.<key>.binary string Exact blob filename (keeps the .exe suffix on Windows)
platforms.<key>.url string Full download URL - baseUrl + / + latest + / + binary
platforms.<key>.sha256 string Lowercase hex SHA-256 of the binary; matches the SHA256SUMS entry
mcpRouter object Same shape and keys as platforms, for the MCP router binaries. Absent when that release did not ship the router (e.g. v0.3.0)
version.json (abridged - one entry shown per map)
{
"latest": "v0.4.0",
"releasedAt": "2026-07-04T00:00:00Z",
"baseUrl": "https://downloads.alertavuln.com",
"platforms": {
"linux-amd64": {
"binary": "alertavuln-linux-amd64",
"url": "https://downloads.alertavuln.com/v0.4.0/alertavuln-linux-amd64",
"sha256": "sha256-hex-64-chars"
}
},
"mcpRouter": {
"linux-amd64": {
"binary": "mcp-router-linux-amd64",
"url": "https://downloads.alertavuln.com/v0.4.0/mcp-router-linux-amd64",
"sha256": "sha256-hex-64-chars"
}
}
}

version.json is the only mutable blob in the release store, and a release rewrites it last - after every immutable blob is in place - so the latest pointer can never reference a partially uploaded release. Scripting against it is straightforward:

Terminal window
curl -fsSL https://downloads.alertavuln.com/version.json | jq -r '.latest'

Sign in and confirm everything works:

Terminal window
av login # opens your browser to authenticate
av whoami # confirm who you're signed in as
av check npm vite 6.0.0 # vet a package before you adopt it

By default the CLI talks to https://alertavuln.com; override the API base URL with the --api-url flag, which takes precedence over the ALERTAVULN_API_URL environment variable and the config file.