Skip to main content

Usage

vulcn store [username] [password] [options]

Arguments

ArgumentDescriptionRequired
usernameUsername for form-based authenticationNo*
passwordPassword for form-based authenticationNo*
* Required for form-based auth. Omit both for header-based auth.

Options

OptionDescriptionDefault
--header <header>Header auth (e.g., "Authorization: Bearer x")-
--passphrase <passphrase>Encryption passphrase (or set VULCN_KEY)Interactive prompt
--login-url <url>Custom login URL (overrides .vulcn.yml)from config
--user-field <selector>CSS selector for username fieldAuto-detected
--pass-field <selector>CSS selector for password fieldAuto-detected

Description

The store command securely encrypts authentication credentials using AES-256-GCM with PBKDF2 key derivation (600,000 iterations). The encrypted file is saved to auth/state.enc next to .vulcn.yml, and is automatically discovered by vulcn crawl and vulcn run.

Encryption Details

  • Algorithm: AES-256-GCM (authenticated encryption)
  • Key Derivation: PBKDF2 with SHA-512, 600,000 iterations
  • Salt: 32 bytes, randomly generated per encryption
  • IV: 16 bytes, randomly generated per encryption
  • Auth Tag: 16 bytes (GCM integrity verification)
The passphrase is resolved in this order:
  1. --passphrase flag
  2. Interactive terminal prompt (hidden input)
  3. VULCN_KEY environment variable

Examples

Form-Based Login

vulcn store admin password
When used with vulcn crawl or vulcn run, Vulcn will:
  1. Navigate to the login URL (from .vulcn.yml auth.loginUrl or --login-url)
  2. Auto-detect username/password fields
  3. Fill the form and submit
  4. Capture browser cookies and storage state

Form-Based Login with Login URL

vulcn store admin password --login-url https://app.example.com/login

Header-Based Auth (API Token)

vulcn store --header "Authorization: Bearer eyJhbG..."

Header-Based Auth (API Key)

vulcn store --header "X-API-Key: sk_live_abc123"

Using Environment Variable

export VULCN_KEY=my-secret-passphrase
vulcn store admin password
Set VULCN_KEY in your CI/CD environment to avoid interactive prompts during automated scans.

Output

   Auth type: form
   Username: admin
   Password: ********

 Credentials saved to auth/state.enc
⚠️  Add auth/ to .gitignore

Auth Configuration in .vulcn.yml

You can also configure authentication directly in .vulcn.yml: 
# .vulcn.yml
auth:
  strategy: form
  loginUrl: https://app.example.com/login
  userSelector: "#email"
  passSelector: "#password"
When present, vulcn store will use these values as defaults (CLI flags still override).

Security Best Practices

Always add auth/ to your .gitignore file to prevent accidentally committing encrypted credentials to version control.
echo "auth/" >> .gitignore
  • Never commit encrypted credential files to version control
  • Use environment variables (VULCN_KEY) in CI/CD instead of --passphrase
  • Rotate credentials regularly — re-run vulcn store to update
  • Use unique passphrases per project

Workflow

The typical authenticated scanning workflow: 
# 1. Store credentials
vulcn store admin password

# 2. Crawl with authentication (auto-discovered from auth/state.enc)
vulcn crawl

# 3. Run scans with authentication (auto-discovered)
vulcn run -p xss sqli -r html
No --creds flag is needed. Auth is automatically discovered from auth/state.enc next to .vulcn.yml.

See Also