Virtnosis

Read-only libvirt security analysis and diagnosis.

Virtnosis is a bounded, local-first control plane for inspecting libvirt-exposed infrastructure. It is built for operators and automation that need high-signal findings, explicit degraded-state reporting, and stable machine-consumable output.

Use it only on systems you own or are explicitly authorized to assess.

Read the docs vnactl virtnosis-agent GitHub

CLI examples

Start

virtnosis-agent --verbose
vnactl status
vnactl scan --deep --confirm-xml --redact -f json

Control-plane transport is local UNIX sockets only.

Why Virtnosis

A bounded defensive tool for libvirt environments, not a general management client.

Read-only by default

Virtnosis is designed to inspect configuration and topology without mutating host or guest state.

Overview

Bounded control plane

The agent enforces request and response caps, per-client timeouts, peer authentication, and explicit local deployment boundaries.

Agent CLI

Automation-friendly output

Scan output stays machine-consumable under partial coverage, bounded capture, and redaction.

Output and automation

Docs map

Installation, operator workflows, deployment, CLI reference, architecture, and shipped man pages.

Start

Purpose, safety boundary, quick start, and the recommended reading path.

Docs

Install and package

Build, install, staged systemd assets, package metadata, and release verification.

Guide

Operator guide

Daily workflows, deep-scan tuning, redaction, troubleshooting, and automation posture.

Guide

CLI

Exact public surface for vnactl and virtnosis-agent.

CLI

Man pages

Reader-friendly command and protocol references with the same public surface as the repo manuals.

Man