Install
For operators · running scans
How-toFrom cargo binstall (recommended)
Section titled “From cargo binstall (recommended)”Pre-built binary from the GitHub release — instant, no compile:
cargo binstall adler-cli # https://github.com/cargo-bins/cargo-binstallcargo binstall ships impersonate-enabled binaries on x86_64-linux,
both macOS targets, and Windows. The aarch64-unknown-linux-gnu build
ships without the impersonate feature — see TLS-fingerprint
impersonation
for why and how to opt back in.
From source (cargo install)
Section titled “From source (cargo install)”Compiles locally; ~1–2 min on a recent machine:
cargo install adler-cliTo include TLS-fingerprint impersonation (needed for sites tagged
protection: tls-fingerprint):
cargo install adler-cli --features impersonateThe feature pulls in BoringSSL and needs cmake, a C++ compiler, and
libclang at build time:
- Fedora:
sudo dnf install cmake gcc-c++ clang - Debian / Ubuntu:
sudo apt install cmake clang libclang-dev - macOS:
brew install cmake(clang ships with the developer tools) - Windows: install the LLVM toolchain; the build script reads
LIBCLANG_PATH
From the repository
Section titled “From the repository”git clone https://github.com/commit3296/adler.gitcd adlercargo install --path adler-cliRequirements
Section titled “Requirements”- Rust ≥ 1.85 for compiling from source.
- For
--browser-backend local: Chrome or Chromium reachable onPATH. - For
--browser-backend browserbase:ADLER_BROWSERBASE_API_KEYandADLER_BROWSERBASE_PROJECT_IDenvironment variables; see Access engine → Browser backend.
What ships
Section titled “What ships”The installed binary is adler. The library
(adler-core) is published
separately for embedding the engine in your own tools — see
Embedding.
| Crate | Kind | Purpose |
|---|---|---|
adler-core | lib | Detection engine, site registry, evidence/confidence models, identity clusters, investigation report model. |
adler-server | lib | HTTP API + SSE streaming + scan persistence; exposes persisted scans, reports, timelines, and the embedded SolidJS web UI. |
adler-cli | bin | adler command-line interface; scans, explains evidence, renders report exports, and launches the embedded server + UI with --web. |
Verifying the install
Section titled “Verifying the install”adler --versionadler --doctor --only github # quick check against a known signatureadler --version since v0.11.4 prints
the crate version plus build provenance (short git SHA, target triple,
opt-in feature flags). Include the multi-line output verbatim in bug
reports so the maintainer doesn’t have to ask which build you have:
adler 0.15.0commit: 45d0979c0a7ftarget: x86_64-unknown-linux-gnufeatures: <default>-V keeps the one-line form for scripts.
First useful run
Section titled “First useful run”After the binary is verified, run a small explained scan before scaling to the full registry:
adler --explain --only github,gitlab torvaldsThat path confirms the registry, network, text renderer, confidence rules, and signal evidence are all working. For the full onboarding flow — scan, evidence, confidence, identity clusters, and report export — continue to Quickstart or the guided First scan walkthrough.
For a browser workflow with persisted scan ids and one-click case-file exports:
adler --web# http://127.0.0.1:8080Verifying release archives (Sigstore cosign)
Section titled “Verifying release archives (Sigstore cosign)”Every platform archive attached to a GitHub Release
since v0.11.4 ships with a matching
.sig (Sigstore signature) and .pem (Fulcio certificate). Signing
is keyless — no long-lived key in repo secrets — backed by the
workflow’s OIDC token, exchanged for a short-lived certificate bound
to release.yml@<release-tag>. Verification recipe:
TAG=v0.15.0 # or whichever releaseARCHIVE=adler-x86_64-unknown-linux-gnu.tar.gz
# Pull the archive + signature + certificate from the release.gh release download "$TAG" --repo commit3296/adler \ --pattern "$ARCHIVE" --pattern "$ARCHIVE.sig" --pattern "$ARCHIVE.pem"
# Verify the signature is bound to this repo's release.yml workflow.cosign verify-blob \ --certificate "$ARCHIVE.pem" \ --signature "$ARCHIVE.sig" \ --certificate-identity-regexp '^https://github\.com/commit3296/adler/\.github/workflows/release\.yml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ "$ARCHIVE"A successful verification prints Verified OK. The identity-regex
pins the signer to this repository’s release.yml at a SemVer tag
— a forged archive uploaded under a different workflow won’t satisfy
it.
For distro packagers
Section titled “For distro packagers”adler --man-page since v0.11.4 prints
a roff(1) man page generated from the same clap definition that
drives --help, so there’s no hand-maintained .1 file to fall out
of sync. Pipe it straight into the package’s man path:
adler --man-page > /usr/share/man/man1/adler.1The page comes out as one OPTIONS block; help-group subsections
documented in --help are a clap-mangen upstream limitation.