Installation¶
Trustabl is distributed as a single binary for macOS, Linux, and Windows. Pick whichever channel fits your environment.
Homebrew (macOS, Linux)¶
Scoop (Windows)¶
Docker¶
The image is published to GitHub Container Registry. Mount the repo you want to scan and point the scan at the mount:
:latest tracks the most recent final release; pin a version tag
(ghcr.io/trustabl/trustabl:0.1.0) for reproducible CI.
Direct download¶
Download the archive for your OS/arch from the
GitHub Releases page, extract
it, and put the trustabl binary on your PATH. Each archive also bundles
LICENSE, README.md, COVERAGE.md, and CHANGELOG.md. A checksums.txt
(SHA-256) and build-provenance attestation are published alongside the archives.
Verify the install¶
This prints the version, commit, and build date baked into the binary.
First run and the rule cache¶
On its first scan, Trustabl resolves the detection rule packs from the
trustabl-rules repository and
caches them under your OS cache directory. Later scans reuse the cache and fall
back to it when the network is unreachable. To pre-warm the cache without
scanning:
A scan with no usable rules (none cached and none fetchable) exits with code 2
rather than reporting a misleadingly clean result.
The opt-in --vuln-scan dependency check keeps a separate cache: it fetches a
pinned OSV snapshot on first use and reuses it (offline-capable)
on later scans. Pre-warm it where you have connectivity with: