Skip to content

Scanner Installation#

This section explains how to scan servers via the Vuls scanner and automatically upload the configuration information to the cloud service. This supports the following scan methods:

For both Linux and Windows, you can install the scanner by executing the displayed command. The installation command can be found under Group SettingsScanner.

Viewing Permissions

Only users with group administrator privileges can view the commands for installing the scanner.

The following types of scanners are available:

Proxy Settings

In FutureVuls, the scan execution server requires internet access during "scanner installation" and "scan result upload". In environments where internet access is routed through a proxy server, you must configure proxy settings after installation. For details, refer to the "Proxy Settings" section.

Installing the Linux Scanner#

Install the scanner on a Linux server to detect vulnerabilities. Find the installation command on the FutureVuls console and run it on the Linux server to install the scanner.

  • The scanner installation must be run with root privileges.
  • For servers behind a proxy, you must ensure curl can access the internet.
    • For details, refer to the "FAQ" in the manual.

Settings Performed During Installation#

The following tasks are performed during the Linux scanner installation. The processes executed by the installer are publicly available in "this script".

Since installation runs as root, no additional password prompts will appear during the following processes.

Process Description
Installation of dependent software ・RedHat, Oracle, Rocky, Alma, Fedora: yum-utils, lsof
・Amazon: yum-utils, lsof, cronie
・Ubuntu: debian-goodies
・Debian: reboot-notifier, aptitude, debian-goodies, lsof
Creation of execution user and group ・User: vuls-saas
・Group: vuls-saas
Creation of log directory Creates /var/log/vuls
Placement of the scanner (binary) /opt/vuls-saas/vuls
Placement of the execution script /opt/vuls-saas/vuls-saas.sh
Placement of the configuration file /opt/vuls-saas/config.toml
Configuration of sudoers /etc/sudoers.d/vuls-saas
Sets access rights to specific commands for the vuls-saas user
Configuration of cron for scanning Configured in /etc/cron.d/vuls-saas-scan
*Runs once a day, 5 minutes after the installation time

Checking the Installation Command#

  • From the account icon in the upper right, click Group Settings, then select the Scanner tab on the left.

scanner_install_command

  • Configure options as needed.

You can select "Scanner Behavior Settings" and specify a proxy server. If not specifically required, you can use the default values.

Item Description
VULS_SCAN_MODE Select whether to grant root privileges during scan execution.
FAST-ROOT: Grants root privileges during scan execution. This allows the scanner to acquire information such as whether a package restart is required and the running status of processes.
FAST: Does not grant root privileges during scan execution. Some information cannot be acquired.
VULS_SCAN_OFFLINE Select online or offline scan.
-(no value): Executes a scan in an online environment, which is the normal scan mode.
OFFLINE: Specifies offline mode. Not supported on all OSes.
AUTO_REFRESH_BINARY Configure automatic scanner updates.
TRUE: Updates the scanner binary to the latest version before each scan.
FALSE: Does not automatically update the scanner binary.
VULS_PROXY If in a proxy environment, specify the URL of the proxy server to use.

Copy the installation script and run it on the target server.

root@scan:~# curl -s https://installer.vuls.biz/vuls-installer.sh | VULS_SAAS_GROUPID='nnn' VULS_SAAS_TOKEN='xxx-xxxx-xxxx' VULS_SCAN_MODE='fast-root' AUTO_REFRESH_BINARY=true  bash -s inst
2025/03/01 00:00:00 [START      ]:      Install scanner.
2025/03/01 00:00:00 [SUCCESS    ]:      Check root user.
2025/03/01 00:00:00 [SUCCESS    ]:      Check distribution. [OS: ubuntu]
2025/03/01 00:00:00 [SUCCESS    ]:      Check Architecture [arch: x86_64]
2025/03/01 00:00:02 [SUCCESS    ]:      Install package. [debian-goodies]
2025/03/01 00:00:02 [SUCCESS    ]:      Create user and group. [user: vuls-saas / group: vuls-saas]
2025/03/01 00:00:02 [SUCCESS    ]:      Create directory. [/opt/vuls-saas]
2025/03/01 00:00:02 [SUCCESS    ]:      Create directory. [/var/log/vuls]
2025/03/01 00:00:04 [SUCCESS    ]:      Download binary. [/opt/vuls-saas/vuls   type: linux_x86_64]
2025/03/01 00:00:04 [SUCCESS    ]:      Download script. [/opt/vuls-saas/vuls-saas.sh]
2025/03/01 00:00:04 [SUCCESS    ]:      Create config. [/opt/vuls-saas/config.toml]
2025/03/01 00:00:04 [SUCCESS    ]:      Create sudoers. [/etc/sudoers.d/vuls-saas]
2025/03/01 00:00:04 [SUCCESS    ]:      Create cron. [/etc/cron.d/vuls-saas-scan]
2025/03/01 00:00:04 [END        ]:      Install scanner finish.
root@scan:~#

An automatic scan will now run daily, 5 minutes after installation completes.

Scanner Installation Execution Permissions

If the following message is displayed, switch to a user with root privileges and execute the command again.

2025/03/01 00:00:00 [START      ]:      chkRootUser
2025/03/01 00:00:00 [ERROR      ]:      Please run as root user.

First Manual Scan#

The first automatic scan will run 5 minutes after the installation is complete. If you want to scan immediately, you can also run it manually by following the steps below.

Execute /opt/vuls-saas/vuls-saas.sh with vuls-saas user privileges as follows.

  • When running as the vuls-saas user with sudo
root@scan01:~# sudo -H -u vuls-saas /opt/vuls-saas/vuls-saas.sh >/dev/null 2>&1
root@scan01:~#
  • When switching to the vuls-saas user to run
root@scan01:~# su - vuls-saas
vuls-saas@scan01:~$ /opt/vuls-saas/vuls-saas.sh
vuls-saas@scan01:~$

After the scan is finished, the results will appear on the FutureVuls web console shortly. If the results do not appear after several minutes, check the logs.

The execution results are recorded in the following files. Check the logs for errors to identify the cause.

  • /opt/vuls-saas/scan.log
    • Describes the success or failure of the scan.
    • If the scan fails, the report information will not be uploaded to FutureVuls.
  • /opt/vuls-saas/report.log
    • Contains the scan result report and any errors related to uploading to FutureVuls.
    • If the upload fails, it may be due to issues such as proxy settings.

Checking the Scan Time#

The scan time is set based on the scanner's installation time. You can change it to a time of your choice by editing the following file.

  • The execution schedule is defined in /etc/cron.d/vuls-saas-scan.
    • By default, it is set to 5 minutes after the scanner installation time.
    • It uses cron format, so modify it as needed.
root@scan01:~# cat /etc/cron.d/vuls-saas-scan
5 0 * * * vuls-saas /opt/vuls-saas/vuls-saas.sh >/dev/null 2>&1
root@scan01:~#

Installing the Windows Scanner#

Install the scanner on a Windows server to detect vulnerabilities. Find the installation command on the FutureVuls console and run it on the Windows server to install the scanner.

  • Ensure Windows Update is functional before proceeding
  • The scanner must be installed from an administrator Command Prompt

When launching Command Prompt, right-click and select "Run as administrator" to start it with administrator privileges.

commandprompt_admin

Settings Performed During Installation#

The following tasks are performed during the Windows scanner installation. The processes executed by the installer are publicly available in "this script".

Clicking the script link above will automatically download it. Do not execute the downloaded script directly.

Process Description
Placement of the scanner (binary) C:\Program Files\vuls-saas\vuls.exe
Placement of the execution batch file C:\Program Files\vuls-saas\vuls-saas.bat
Placement of the configuration file C:\Program Files\vuls-saas\config.toml
Placement of the batch_config file C:\Program Files\vuls-saas\batch_config.toml
Configuration of Task Scheduler Configured in Task Scheduler (vuls-saas-scan)
*Runs as SYSTEM user, once a day, 5 minutes after the installation time

Checking the Installation Command#

From the account icon in the upper right, click Group Settings, then select the Scanner tab on the left.

scanner_install_command_2

Configure options as needed.

You can configure settings for "WSUS Environments" and specify a proxy server. If not specifically required, you can use the default values.

Item Description
VULS_WIN_UPDATE_SRC Select the source for Windows Update.
INTERNET: Use Windows Update on the internet.
LOCAL: Use a local WSUS for Windows Update.
AUTO_REFRESH_BINARY Configure automatic scanner updates.
TRUE: Updates the scanner binary to the latest version before each scan.
FALSE: Does not automatically update the scanner binary.
VULS_PROXY If in a proxy environment, specify the URL of the proxy server to use.
VULS_BYPASS_LIST Specify destinations that should bypass the proxy. Multiple destinations can be specified, separated by semicolons ";".
  • Copy the installation script and run it on the target server.
  • An automatic scan will now run daily, 5 minutes after installation completes.

First Manual Scan#

The first automatic scan will run 5 minutes after installation is complete, but you can also run it manually if you want to scan immediately.

Running from Task Scheduler#

  • Start the vuls-saas task from the Task Scheduler.
    • Open the Task Scheduler.
    • Right-click on vuls-saas located at the top level of the task list and select Run.
  • After the scan is finished, the results will appear on the web console shortly.

    • If the results do not appear, check the logs.

    task_cheduler

The execution results are recorded in the following file. Check the log for errors to identify the cause.

  • C:\Program Files\vuls-saas\vuls-saas.log
    • Records the success or failure of the scan and the upload.
    • If the scan fails, the report information will not be uploaded to FutureVuls.

Manual Scan from Command Prompt#

A manual scan can be performed by running the following command with administrator privileges.

C:\Program files\vuls-saas\vuls-saas.bat

Checking the Scan Time#

The scan time is set based on the scanner's installation time. The scan time can be changed to any desired time.

  • Change the execution time of the vuls-saas task in the Task Scheduler.

Installing the Trivy Scanner#

Container Image Scan#

Install Trivy in your local environment to scan container images and upload the results to FutureVuls. This method offers two installation modes: a standard version and a lightweight version. The differences are as follows.

Item Description Standard Version Lightweight Version
Root privileges Whether root privileges are required for installation Required Not required
Supported Environments Local environments where setup is possible Reference General Linux
Scheduled Scan Whether to automatically scan the image periodically Supported Not supported

The lightweight version does not require root privileges, but you must manually scan container images periodically. To keep vulnerability information up-to-date by constantly synchronizing container image configuration changes with FutureVuls, please use the standard version scan whenever possible.

Scanning a New Container Image#

To scan a new container image and register it in FutureVuls, follow these steps.

  1. Open the dialog from the Add Server button on the Server tab and select Container Image Scan

    Container Image Scan Add Dialog Guide

  2. Select a scanner token and enter the name of the container image to scan.

    Specify it in the format <image_name>:<tag>. To always scan the latest version of an image, specify <image_name>:<latest>.

  3. If behind a proxy, enter the proxy server to use

  4. If using the lightweight version, check the switch bar
  5. Copy the command displayed at the bottom of the screen, paste it into the local environment where the target image is managed, and execute it

    For the standard version, run it with root privileges.

  6. Confirm that the scanned image has been added to the Server tab of the target group in FutureVuls

    For the standard version, it may take 5-10 minutes for the results to appear in FutureVuls. If you want to run a scan immediately after installation, execute the following command.

    /opt/vuls-trivy-saas/vuls-trivy-saas.sh &> /opt/vuls-trivy-saas/vuls-trivy.log
    

This completes the registration. If you are using the standard version, the scanner will start automatically once a day to scan the target container image and upload the results to FutureVuls.

In the standard version, you can manually add scan options for target container images/libraries, etc., to config.toml. For details, see "Scanner Behavior Settings".

Also, if the scan results do not appear, refer to this article.

Updating Information for a Registered Container Image#

To update vulnerability information based on the configuration of a container image already registered in FutureVuls, execute a manual scan from the FutureVuls console.

If there have been changes to a container image registered in FutureVuls, follow these steps to sync them with FutureVuls.

  • For the standard version:
    • No action is required as the scanner starts automatically once a day to scan the image.
    • If you want to start the scanner immediately, run the following command as the root or vuls-trivy-saas user.
      • /opt/vuls-trivy-saas/vuls-trivy-saas.sh &> /opt/vuls-trivy-saas/vuls-trivy.log
  • For the lightweight version:

    1. Click the target container image on the Server tab to open the server details page.
    2. Click the Update Configuration Information button to open the dialog.

      Container Image Update

    3. Select a scanner token and enter the name of the container image to scan.

    4. If behind a proxy, enter the proxy server to use.
    5. Copy the command displayed at the bottom of the screen, paste it into the local environment where the target image is managed, and execute it.

Application Library Scan#

Install Trivy in your local environment to scan application libraries and upload the results to FutureVuls. This method offers two installation modes: a standard version and a lightweight version. The differences are as follows.

Item Description Standard Version Lightweight Version
Root privileges Whether root privileges are required for installation Required Not required
Supported Environments Environments where setup is possible Reference General Linux
Scheduled Scan Whether to automatically scan the application libraries periodically Supported Not supported

The lightweight version does not require root privileges, but you must manually scan application libraries periodically. You also need to run it as a user with read permissions for all directories and files under the specified directory path. To keep vulnerability information up-to-date by constantly synchronizing dependent library configuration changes with FutureVuls, please use the standard version scan whenever possible.

Scanning New Dependent Libraries#

To scan new application libraries and register them in FutureVuls, follow these steps.

  1. Open the dialog from the Add Server button on the Server tab and select Scan Libraries on File System

    Trivy Library Scan Add Dialog Guide

  2. Select a scanner token and enter the absolute path of the directory to be scanned

    If no path is specified, the root directory will be automatically selected, and all application libraries on the filesystem will be scanned.

  3. If behind a proxy, enter the proxy server to use

  4. If using the lightweight version, check the switch bar
  5. Copy the command displayed at the bottom of the screen, paste it into the local environment where the target application library is managed, and execute it

  6. Confirm that the scanned directory has been added to the Server tab of the target group in FutureVuls

    For the standard version, it may take 5-10 minutes for the results to appear in FutureVuls. If you want to run a scan immediately after installation, execute the following command.

    /opt/vuls-trivy-saas/vuls-trivy-saas.sh &> /opt/vuls-trivy-saas/vuls-trivy.log

This completes the registration. If you are using the standard version, the scanner will start automatically once a day to scan the target directory and upload the results to FutureVuls.

In the standard version, you can manually add scan options for target container images/libraries, etc., to config.toml. For details, see "Scanner Behavior Settings".

Also, if the scan results do not appear, refer to this article.

Updating Configuration Information for Registered Libraries#

Update vulnerability information based on registered configuration information

To update vulnerability information based on the configuration of application libraries already registered in FutureVuls, execute a manual scan from the FutureVuls console.

Sync application library configuration changes with FutureVuls

If there have been changes to the registered dependent libraries, follow these steps to sync them with FutureVuls.

  • For the standard version:
    • No action is required as the scanner starts automatically once a day to scan the image.
    • If you want to start the scanner immediately, run the following command as the root or vuls-trivy-saas user.
      • /opt/vuls-trivy-saas/vuls-trivy-saas.sh &> /opt/vuls-trivy-saas/vuls-trivy.log
  • For the lightweight version:

    1. Click the target server on the Server tab to open the server details page.
    2. Click the Update Configuration Information button to open the dialog.

      Trivy Scan Library Update

    3. Select a scanner token and enter the absolute path of the directory to be scanned.

    4. If behind a proxy, enter the proxy server to use.
    5. Copy the command displayed at the bottom of the screen, paste it into the local environment where the target application library is managed, and execute it.