Skip to content

Install

For operators · running scans

How-to

Pre-built binary from the GitHub release — instant, no compile:

Terminal window
cargo binstall adler-cli # https://github.com/cargo-bins/cargo-binstall

cargo binstall ships impersonate-enabled binaries on x86_64-linux, both macOS targets, and Windows. The aarch64-unknown-linux-gnu build ships without the impersonate feature — see TLS-fingerprint impersonation for why and how to opt back in.

Compiles locally; ~1–2 min on a recent machine:

Terminal window
cargo install adler-cli

To include TLS-fingerprint impersonation (needed for sites tagged protection: tls-fingerprint):

Terminal window
cargo install adler-cli --features impersonate

The feature pulls in BoringSSL and needs cmake, a C++ compiler, and libclang at build time:

  • Fedora: sudo dnf install cmake gcc-c++ clang
  • Debian / Ubuntu: sudo apt install cmake clang libclang-dev
  • macOS: brew install cmake (clang ships with the developer tools)
  • Windows: install the LLVM toolchain; the build script reads LIBCLANG_PATH
Terminal window
git clone https://github.com/commit3296/adler.git
cd adler
cargo install --path adler-cli
  • Rust ≥ 1.85 for compiling from source.
  • For --browser-backend local: Chrome or Chromium reachable on PATH.
  • For --browser-backend browserbase: ADLER_BROWSERBASE_API_KEY and ADLER_BROWSERBASE_PROJECT_ID environment variables; see Access engine → Browser backend.

The installed binary is adler. The library (adler-core) is published separately for embedding the engine in your own tools — see Embedding.

CrateKindPurpose
adler-corelibDetection engine, site registry, evidence/confidence models, identity clusters, investigation report model.
adler-serverlibHTTP API + SSE streaming + scan persistence; exposes persisted scans, reports, timelines, and the embedded SolidJS web UI.
adler-clibinadler command-line interface; scans, explains evidence, renders report exports, and launches the embedded server + UI with --web.
Terminal window
adler --version
adler --doctor --only github # quick check against a known signature

adler --version since v0.11.4 prints the crate version plus build provenance (short git SHA, target triple, opt-in feature flags). Include the multi-line output verbatim in bug reports so the maintainer doesn’t have to ask which build you have:

adler 0.15.0
commit: 45d0979c0a7f
target: x86_64-unknown-linux-gnu
features: <default>

-V keeps the one-line form for scripts.

After the binary is verified, run a small explained scan before scaling to the full registry:

Terminal window
adler --explain --only github,gitlab torvalds

That path confirms the registry, network, text renderer, confidence rules, and signal evidence are all working. For the full onboarding flow — scan, evidence, confidence, identity clusters, and report export — continue to Quickstart or the guided First scan walkthrough.

For a browser workflow with persisted scan ids and one-click case-file exports:

Terminal window
adler --web
# http://127.0.0.1:8080

Verifying release archives (Sigstore cosign)

Section titled “Verifying release archives (Sigstore cosign)”

Every platform archive attached to a GitHub Release since v0.11.4 ships with a matching .sig (Sigstore signature) and .pem (Fulcio certificate). Signing is keyless — no long-lived key in repo secrets — backed by the workflow’s OIDC token, exchanged for a short-lived certificate bound to release.yml@<release-tag>. Verification recipe:

Terminal window
TAG=v0.15.0 # or whichever release
ARCHIVE=adler-x86_64-unknown-linux-gnu.tar.gz
# Pull the archive + signature + certificate from the release.
gh release download "$TAG" --repo commit3296/adler \
--pattern "$ARCHIVE" --pattern "$ARCHIVE.sig" --pattern "$ARCHIVE.pem"
# Verify the signature is bound to this repo's release.yml workflow.
cosign verify-blob \
--certificate "$ARCHIVE.pem" \
--signature "$ARCHIVE.sig" \
--certificate-identity-regexp '^https://github\.com/commit3296/adler/\.github/workflows/release\.yml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
"$ARCHIVE"

A successful verification prints Verified OK. The identity-regex pins the signer to this repository’s release.yml at a SemVer tag — a forged archive uploaded under a different workflow won’t satisfy it.

adler --man-page since v0.11.4 prints a roff(1) man page generated from the same clap definition that drives --help, so there’s no hand-maintained .1 file to fall out of sync. Pipe it straight into the package’s man path:

Terminal window
adler --man-page > /usr/share/man/man1/adler.1

The page comes out as one OPTIONS block; help-group subsections documented in --help are a clap-mangen upstream limitation.