Skip to main content
The CLI tool scans binaries and firmware for vulnerabilities, serves an MCP endpoint for AI-assisted analysis, and integrates with the Binarly Transparency Platform (BTP). NOTE: we show usage via the community edition tool, for enterprise customers, use vulhunt.

Scanning binaries

Single rule

Scan a binary with a single rule and display results in the terminal:
The above command uses the rule CVE-2024-6387.vh to scan the sshd binary. Type libraries and signatures are loaded from ./bias-data, which should contain the required Auxiliary Data. Results are written to results.json and rendered to the terminal with --pretty.

Rule set

Scan a binary against all rules in a directory:
When scanning with multiple rules, narrow down rule coverage with Conditions to minimize the performance impact.

UEFI firmware and alternate loaders

Scan a UEFI firmware image using the uefi loader:
VulHunt’s scanner also supports ba2 (Binarly Analysis Archive) and bndb (Binary Ninja) loaders. The Binary Ninja loader requires VulHunt to be built with specific support.

Component attributes

Pass additional metadata when scanning individual components:

Streaming output

For CI/CD pipelines or large scans, stream results as JSONL:
Add --compress to compress the stream with Zstandard:

Using environment variables

Set common paths once and omit them from individual commands:

Starting the MCP server

The mcp subcommand starts a Model Context Protocol server for AI-assisted binary analysis.

HTTP transport

Stdio transport

For integration with tools like Claude Desktop:

Binarly Transparency Platform (BTP)

The btp subcommand interacts with the Binarly Transparency Platform. All commands require authentication credentials, which can be passed as options or set via environment variables:

Pushing rules

Push a rule pack from local directories to BTP:
Push and deploy directly to a product:
Push individual rule files (requires --platform):

Managing products

List all products:
Create a new product:

Uploading and scanning

Upload a firmware image and trigger a scan:

Monitoring scans

List scans for an image:
Get scan details:

Retrieving results

Get findings for an image:
Download a BA2 archive for offline analysis:

Querying BA2 archives

The ba2 subcommand inspects and extracts components from Binarly Analysis Archives.

Listing components

Extracting a component