av techstack
Manage the packages AlertaVuln tracks for a project. Tracked packages are matched against incoming CVEs to raise alerts.
Synopsis
Section titled “Synopsis”av techstack <subcommand> --project <project-id> [flags]The binary ships as alertavuln; av is the common alias - they are
interchangeable in every example.
Description
Section titled “Description”av techstack maintains a project’s tech stack: the list of packages
AlertaVuln matches against incoming CVEs to raise alerts. You can curate the
list item by item (add, update, remove) or reconcile it in one shot from
a parsed dependency manifest (sync).
Every subcommand requires the --project flag and an authenticated session -
run av login first.
Options
Section titled “Options”| Flag | Default | Description |
|---|---|---|
--project |
- | Project ID whose tech stack to manage (required on every subcommand) |
av techstack list
Section titled “av techstack list”List a project’s tracked packages as a table with each item’s ID, package
name, ecosystem, version constraint, and maintenance health. The health
column shows deprecated, unmaintained, the package’s reported maintenance
status, or - when no health data is available.
av techstack list --project <project-id>Review everything a project tracks:
av techstack list --project 7f3c2a1eav techstack add
Section titled “av techstack add”Add a single package to a project’s tech stack.
av techstack add --project <project-id> --package <name> --ecosystem <ecosystem> [flags]| Flag | Default | Description |
|---|---|---|
--package |
- | Package name (required) |
--ecosystem |
- | Package ecosystem (required) |
--version |
- | Version or version constraint |
--cpe |
- | Optional CPE name for matching (see below) |
Track a pinned npm dependency:
av techstack add --project 7f3c2a1e --package lodash --ecosystem npm --version 4.17.21Track a product by CPE so CVEs filed against the CPE match too:
av techstack add --project 7f3c2a1e --package nginx --ecosystem generic --cpe cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*av techstack update
Section titled “av techstack update”Update a tech-stack item in place. Only the flags you pass are changed; the
rest are left as-is. The item is addressed by its ID, as shown in the ID
column of av techstack list.
av techstack update <id> --project <project-id> [flags]| Flag | Default | Description |
|---|---|---|
--package |
- | New package name |
--ecosystem |
- | New ecosystem |
--version |
- | New version constraint |
--cpe |
- | New CPE name |
Bump the tracked version after an upgrade, leaving everything else untouched:
av techstack update 9c1e5d40 --project 7f3c2a1e --version 4.17.22av techstack remove
Section titled “av techstack remove”Remove a package from a project’s tech stack so it no longer generates alerts.
av techstack remove <id> --project <project-id>Stop tracking a dependency you have dropped:
av techstack remove 9c1e5d40 --project 7f3c2a1eav techstack sync
Section titled “av techstack sync”Reconcile a project’s tech stack from a single client-parsed dependency
manifest (a client-reported push). All packages in one sync must belong to
the one --ecosystem, and each is supplied explicitly as a repeatable
--package name@version flag - a --package value without the @version
part is rejected. The command reports how many packages were synced and how
many items the project now tracks.
av techstack sync --project <project-id> --repo <url> --manifest <path> --ecosystem <ecosystem> --package <name@version> [flags]| Flag | Default | Description |
|---|---|---|
--repo |
- | Source repository URL (required) |
--manifest |
- | Manifest path within the repo, e.g. package.json (required) |
--ecosystem |
- | Ecosystem for all packages in the manifest (required) |
--package |
- | Package as name@version (repeatable, required) |
--ref |
- | Git ref the manifest was read at |
Push the resolved dependencies of an npm manifest:
av techstack sync --project 7f3c2a1e --repo https://github.com/acme/storefront \ --manifest package.json --ecosystem npm \Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Command completed successfully |
1 |
Command failed - not logged in, missing required flag, invalid --package format, or the API returned an error |
See also
Section titled “See also”av project- create and manage the projects a tech stack belongs toav repo- attach git repos to a project as scan sourcesav check- pre-flight a package for known vulnerabilities before you add it