docs/ref/modules/vulnerability-scanner/README.md
The Vulnerability Scanner (VD) is an event-driven module that detects CVEs using the inventory batches produced by InventorySync. On the agent, Syscollector gathers OS, package, and hotfix data and sends it to the manager. InventorySync on the manager stores and normalizes the inventory into Start/DataValue/DataContext sessions that VD consumes, correlates with the local CVE databases, and turns into results.
The CVE data comes from CTI, which is parsed into local RocksDB databases for fast lookups. Detection produces:
wazuh-states-vulnerabilities via the Indexer Connector.queue-http.sock using the H/E protocol.OS detection is supported for Windows and macOS (Darwin). On Linux, the kernel is treated as a package component.