Can I use CISA KEV as a CLI?

Yes. KosmoKrator exposes a CISA KEV CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose CISA KEV through MCP?

Yes. The KosmoKrator MCP gateway can expose selected CISA KEV tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are CISA KEV credentials stored?

CISA KEV credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for CISA KEV MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

CISA KEV Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the CISA KEV KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.cisa_kev.*. Use lua_read_doc("integrations.cisa-kev") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic CISA KEV workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.cisa_kev.catalog({}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("cisa-kev"))' --json
kosmo integrations:lua --eval 'print(docs.read("cisa-kev.catalog"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local cisa_kev = app.integrations.cisa_kev
local result = cisa_kev.catalog({})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.cisa_kev, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.cisa_kev.default.* or app.integrations.cisa_kev.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need CISA KEV, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

CISA KEV

Namespace: cisa-kev

Use this integration to inspect CISA’s Known Exploited Vulnerabilities catalog: the official JSON feed, filtered vulnerability views, CVE lookup, recent additions, JSON schema, CSV export, and license text.

Authentication

The CISA KEV catalog assets are public and require no credentials.

Tools

cisa_kev_catalog: retrieves the full official JSON catalog.
cisa_kev_search: filters catalog entries by cve_id, vendor, product, q, cwe, known_ransomware_campaign_use, date_added_from, date_added_to, due_date_from, due_date_to, limit, and offset.
cisa_kev_get_vulnerability: retrieves one catalog entry by exact CVE ID.
cisa_kev_recent: lists recent entries sorted by dateAdded descending.
cisa_kev_schema: retrieves the official JSON schema.
cisa_kev_csv: retrieves the official CSV export as text.
cisa_kev_license: retrieves the official license text.

Return Notes

The JSON catalog keeps CISA field names intact, including cveID, vendorProject, product, vulnerabilityName, dateAdded, shortDescription, requiredAction, dueDate, knownRansomwareCampaignUse, notes, and cwes.

cisa_kev_search returns catalog metadata plus total, offset, limit, and the matching vulnerabilities page. Filters are applied client-side over the official JSON feed.

Examples

local recent = tools.cisa_kev_recent({
  since = "2026-05-01",
  limit = 10
})

local microsoft = tools.cisa_kev_search({
  vendor = "Microsoft",
  known_ransomware_campaign_use = "Known",
  limit = 25
})

local entry = tools.cisa_kev_get_vulnerability({
  cve_id = "CVE-2026-0300"
})

Use this catalog as exploited-in-the-wild prioritization data. It does not replace CVSS, EPSS, asset exposure, compensating controls, or vendor advisories.

Raw agent markdown

# CISA KEV

Namespace: `cisa-kev`

Use this integration to inspect CISA's Known Exploited Vulnerabilities catalog:
the official JSON feed, filtered vulnerability views, CVE lookup, recent
additions, JSON schema, CSV export, and license text.

## Authentication

The CISA KEV catalog assets are public and require no credentials.

## Tools

- `cisa_kev_catalog`: retrieves the full official JSON catalog.
- `cisa_kev_search`: filters catalog entries by `cve_id`, `vendor`, `product`,
  `q`, `cwe`, `known_ransomware_campaign_use`, `date_added_from`,
  `date_added_to`, `due_date_from`, `due_date_to`, `limit`, and `offset`.
- `cisa_kev_get_vulnerability`: retrieves one catalog entry by exact CVE ID.
- `cisa_kev_recent`: lists recent entries sorted by `dateAdded` descending.
- `cisa_kev_schema`: retrieves the official JSON schema.
- `cisa_kev_csv`: retrieves the official CSV export as text.
- `cisa_kev_license`: retrieves the official license text.

## Return Notes

The JSON catalog keeps CISA field names intact, including `cveID`,
`vendorProject`, `product`, `vulnerabilityName`, `dateAdded`,
`shortDescription`, `requiredAction`, `dueDate`,
`knownRansomwareCampaignUse`, `notes`, and `cwes`.

`cisa_kev_search` returns catalog metadata plus `total`, `offset`, `limit`, and
the matching `vulnerabilities` page. Filters are applied client-side over the
official JSON feed.

## Examples

```lua
local recent = tools.cisa_kev_recent({
  since = "2026-05-01",
  limit = 10
})

local microsoft = tools.cisa_kev_search({
  vendor = "Microsoft",
  known_ransomware_campaign_use = "Known",
  limit = 25
})

local entry = tools.cisa_kev_get_vulnerability({
  cve_id = "CVE-2026-0300"
})
```

Use this catalog as exploited-in-the-wild prioritization data. It does not
replace CVSS, EPSS, asset exposure, compensating controls, or vendor advisories.

Metadata-derived Lua example

local result = app.integrations.cisa_kev.catalog({})
print(result)

Functions

catalog Read

Retrieve the full CISA KEV JSON catalog.

Lua path: app.integrations.cisa_kev.catalog
Full name: cisa-kev.cisa_kev_catalog

Parameter	Type	Required	Description
No parameters.

search Read

Search and filter CISA KEV vulnerabilities client-side.

Lua path: app.integrations.cisa_kev.search
Full name: cisa-kev.cisa_kev_search

Parameter	Type	Required	Description
No parameters.

get_vulnerability Read

Retrieve one KEV catalog entry by CVE ID.

Lua path: app.integrations.cisa_kev.get_vulnerability
Full name: cisa-kev.cisa_kev_get_vulnerability

Parameter	Type	Required	Description
No parameters.

recent Read

List recently added KEV catalog entries.

Lua path: app.integrations.cisa_kev.recent
Full name: cisa-kev.cisa_kev_recent

Parameter	Type	Required	Description
No parameters.

schema Read

Retrieve the official CISA KEV JSON schema.

Lua path: app.integrations.cisa_kev.schema
Full name: cisa-kev.cisa_kev_schema

Parameter	Type	Required	Description
No parameters.

csv Read

Retrieve the official CISA KEV CSV export.

Lua path: app.integrations.cisa_kev.csv
Full name: cisa-kev.cisa_kev_csv

Parameter	Type	Required	Description
No parameters.

license Read

Retrieve the CISA KEV feed license text.

Lua path: app.integrations.cisa_kev.license
Full name: cisa-kev.cisa_kev_license

Parameter	Type	Required	Description
No parameters.