Skip to content

av techstack

Manage the packages AlertaVuln tracks for a project. Tracked packages are matched against incoming CVEs to raise alerts.

Terminal window
av techstack <subcommand> --project <project-id> [flags]

The binary ships as alertavuln; av is the common alias - they are interchangeable in every example.

av techstack maintains a project’s tech stack: the list of packages AlertaVuln matches against incoming CVEs to raise alerts. You can curate the list item by item (add, update, remove) or reconcile it in one shot from a parsed dependency manifest (sync).

Every subcommand requires the --project flag and an authenticated session - run av login first.

Flag Default Description
--project - Project ID whose tech stack to manage (required on every subcommand)

List a project’s tracked packages as a table with each item’s ID, package name, ecosystem, version constraint, and maintenance health. The health column shows deprecated, unmaintained, the package’s reported maintenance status, or - when no health data is available.

Terminal window
av techstack list --project <project-id>

Review everything a project tracks:

Terminal window
av techstack list --project 7f3c2a1e

Add a single package to a project’s tech stack.

Terminal window
av techstack add --project <project-id> --package <name> --ecosystem <ecosystem> [flags]
Flag Default Description
--package - Package name (required)
--ecosystem - Package ecosystem (required)
--version - Version or version constraint
--cpe - Optional CPE name for matching (see below)

Track a pinned npm dependency:

Terminal window
av techstack add --project 7f3c2a1e --package lodash --ecosystem npm --version 4.17.21

Track a product by CPE so CVEs filed against the CPE match too:

Terminal window
av techstack add --project 7f3c2a1e --package nginx --ecosystem generic --cpe cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*

Update a tech-stack item in place. Only the flags you pass are changed; the rest are left as-is. The item is addressed by its ID, as shown in the ID column of av techstack list.

Terminal window
av techstack update <id> --project <project-id> [flags]
Flag Default Description
--package - New package name
--ecosystem - New ecosystem
--version - New version constraint
--cpe - New CPE name

Bump the tracked version after an upgrade, leaving everything else untouched:

Terminal window
av techstack update 9c1e5d40 --project 7f3c2a1e --version 4.17.22

Remove a package from a project’s tech stack so it no longer generates alerts.

Terminal window
av techstack remove <id> --project <project-id>

Stop tracking a dependency you have dropped:

Terminal window
av techstack remove 9c1e5d40 --project 7f3c2a1e

Reconcile a project’s tech stack from a single client-parsed dependency manifest (a client-reported push). All packages in one sync must belong to the one --ecosystem, and each is supplied explicitly as a repeatable --package name@version flag - a --package value without the @version part is rejected. The command reports how many packages were synced and how many items the project now tracks.

Terminal window
av techstack sync --project <project-id> --repo <url> --manifest <path> --ecosystem <ecosystem> --package <name@version> [flags]
Flag Default Description
--repo - Source repository URL (required)
--manifest - Manifest path within the repo, e.g. package.json (required)
--ecosystem - Ecosystem for all packages in the manifest (required)
--package - Package as name@version (repeatable, required)
--ref - Git ref the manifest was read at

Push the resolved dependencies of an npm manifest:

Terminal window
av techstack sync --project 7f3c2a1e --repo https://github.com/acme/storefront \
--manifest package.json --ecosystem npm \
Code Meaning
0 Command completed successfully
1 Command failed - not logged in, missing required flag, invalid --package format, or the API returned an error
  • av project - create and manage the projects a tech stack belongs to
  • av repo - attach git repos to a project as scan sources
  • av check - pre-flight a package for known vulnerabilities before you add it