goharbor · bupd · Apr 21, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/cmd/harbor/root/cmd.go b/cmd/harbor/root/cmd.go
@@ -85,7 +85,7 @@ harbor help
 		},
 	}
 
-	root.PersistentFlags().StringVarP(&output, "output-format", "o", "", "Output format. One of: json|yaml")
+	root.PersistentFlags().StringVarP(&output, "output-format", "o", "", "Output format. One of: json|yaml|csv")
 	root.PersistentFlags().StringVarP(&cfgFile, "config", "c", "", "config file (default is $HOME/.config/harbor-cli/config.yaml)")
 	root.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose output")
 

diff --git a/cmd/harbor/root/vulnerability/cmd.go b/cmd/harbor/root/vulnerability/cmd.go
@@ -26,6 +26,7 @@ func Vulnerability() *cobra.Command {
 
 	cmd.AddCommand(
 		GetVulnerabilitySummaryCommand(),
+		ListVulnerabilitiesCommand(),
 	)
 
 	return cmd

diff --git a/cmd/harbor/root/vulnerability/list.go b/cmd/harbor/root/vulnerability/list.go
@@ -0,0 +1,123 @@
+// Copyright Project Harbor Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package vulnerability
+
+import (
+	"fmt"
+
+	"github.com/goharbor/go-client/pkg/sdk/v2.0/models"
+	"github.com/goharbor/harbor-cli/pkg/api"
+	"github.com/goharbor/harbor-cli/pkg/utils"
+	vulnlist "github.com/goharbor/harbor-cli/pkg/views/vulnerability/list"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func ListVulnerabilitiesCommand() *cobra.Command {
+	var opts api.ListVulnerabilityOptions
+
+	cmd := &cobra.Command{
+		Use:     "list",
+		Short:   "List vulnerabilities in Security Hub",
+		Long:    "List vulnerabilities from Harbor Security Hub",
+		Example: `  harbor vulnerability list`,
+		Args:    cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if opts.Page < 1 {
+				return fmt.Errorf("page number must be greater than or equal to 1")
+			}
+
+			if opts.PageSize <= 0 || opts.PageSize > 100 {
+				return fmt.Errorf("page size must be greater than 0 and less than or equal to 100")
+			}
+
+			allVulnerabilities, hasNext, err := fetchVulnerabilities(opts)
+			if err != nil {
+				return fmt.Errorf("failed to list vulnerabilities: %v", utils.ParseHarborErrorMsg(err))
+			}
+
+			if len(allVulnerabilities) == 0 {
+				log.Info("No vulnerabilities found")
+				return nil
+			}
+
+			formatFlag := viper.GetString("output-format")
+			if formatFlag != "" {
+				err = utils.PrintFormat(allVulnerabilities, formatFlag)
+				if err != nil {
+					return err
+				}
+			} else {
+				vulnlist.ViewVulnerabilityList(allVulnerabilities, hasNext)
+			}
+
+			return nil
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.Int64VarP(&opts.Page, "page", "", 1, "Page number")
+	flags.Int64VarP(&opts.PageSize, "page-size", "", 10, "Size of per page")
+	flags.StringVarP(&opts.CVEID, "cve-id", "", "", "Filter by exact CVE ID")
+	flags.StringVarP(&opts.CVSSScore, "cvss-score", "", "", "Filter by CVSS v3 score range (e.g. 7.0~10.0) or exact score (e.g. 7.0)")
+	flags.StringVarP(&opts.Severity, "severity", "", "", "Filter by severity level")
+	flags.StringVarP(&opts.Repository, "repository", "", "", "Filter by exact repository name")
+	flags.StringVarP(&opts.ProjectName, "project-name", "", "", "Filter by exact project name")
+	flags.StringVarP(&opts.Package, "package", "", "", "Filter by exact package name")
+	flags.StringVarP(&opts.Tag, "tag", "", "", "Filter by exact artifact tag")
+	flags.StringVarP(&opts.Digest, "digest", "", "", "Filter by exact artifact digest")
+	flags.StringVarP(&opts.Exclude, "exclude", "", "", "Exclude vulnerabilities using a ',' separated query string (e.g., k=v or k=[min~max])")
+	flags.BoolVarP(&opts.Fixable, "fixable", "", false, "Only show fixable vulnerabilities")
+	flags.BoolVarP(&opts.All, "all", "", false, "Show all vulnerabilities (up to 1000)")
+
+	return cmd
+}
+
+func fetchVulnerabilities(opts api.ListVulnerabilityOptions) ([]*models.VulnerabilityItem, bool, error) {
+	if opts.All {
+		var allVulnerabilities []*models.VulnerabilityItem
+
+		log.Debug("Fetching all vulnerabilities")
+		opts.PageSize = 100
+		opts.Page = 1
+
+		for {
+			vulnerabilities, err := api.ListVulnerabilities(opts)
+			if err != nil {
+				return nil, false, err
+			}
+
+			if len(vulnerabilities) == 0 {
+				break
+			}
+
+			allVulnerabilities = append(allVulnerabilities, vulnerabilities...)
+			opts.Page++
+
+			if opts.Page > 10 {
+				return allVulnerabilities, true, nil
+			}
+		}
+
+		return allVulnerabilities, false, nil
+	}
+
+	vulnerabilities, err := api.ListVulnerabilities(opts)
+	if err != nil {
+		return nil, false, err
+	}
+
+	return vulnerabilities, false, nil
+}
diff --git a/doc/cli-docs/harbor-artifact-delete.md b/doc/cli-docs/harbor-artifact-delete.md
@@ -22,7 +22,7 @@ harbor artifact delete [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-label-add.md b/doc/cli-docs/harbor-artifact-label-add.md
@@ -38,7 +38,7 @@ harbor artifact label add [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-label-delete.md b/doc/cli-docs/harbor-artifact-label-delete.md
@@ -40,7 +40,7 @@ harbor artifact label delete [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-label-list.md b/doc/cli-docs/harbor-artifact-label-list.md
@@ -46,7 +46,7 @@ harbor artifact label list [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-label.md b/doc/cli-docs/harbor-artifact-label.md
@@ -30,7 +30,7 @@ harbor artifact label del <project>/<repository>/<reference> <label name>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-list.md b/doc/cli-docs/harbor-artifact-list.md
@@ -38,7 +38,7 @@ harbor artifact list [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-scan-start.md b/doc/cli-docs/harbor-artifact-scan-start.md
@@ -32,7 +32,7 @@ harbor artifact scan start <project>/<repository>/<reference>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-scan-stop.md b/doc/cli-docs/harbor-artifact-scan-stop.md
@@ -32,7 +32,7 @@ harbor artifact scan stop <project>/<repository>/<reference>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-scan.md b/doc/cli-docs/harbor-artifact-scan.md
@@ -28,7 +28,7 @@ harbor artifact scan start <project>/<repository>/<reference>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-tags-create.md b/doc/cli-docs/harbor-artifact-tags-create.md
@@ -28,7 +28,7 @@ harbor artifact tags create <project>/<repository>/<reference> <tag>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-tags-delete.md b/doc/cli-docs/harbor-artifact-tags-delete.md
@@ -28,7 +28,7 @@ harbor artifact tags delete <project>/<repository>/<reference> <tag>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-tags-list.md b/doc/cli-docs/harbor-artifact-tags-list.md
@@ -28,7 +28,7 @@ harbor artifact tags list <project>/<repository>/<reference>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-tags.md b/doc/cli-docs/harbor-artifact-tags.md
@@ -24,7 +24,7 @@ weight: 85
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact-view.md b/doc/cli-docs/harbor-artifact-view.md
@@ -32,7 +32,7 @@ harbor artifact view <project>/<repository>:<tag> OR harbor artifact view <proje
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-artifact.md b/doc/cli-docs/harbor-artifact.md
@@ -28,7 +28,7 @@ Manage artifacts in Harbor Repository
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-config-apply.md b/doc/cli-docs/harbor-config-apply.md
@@ -37,7 +37,7 @@ harbor config apply -f <config_file>
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-config-view.md b/doc/cli-docs/harbor-config-view.md
@@ -44,7 +44,7 @@ harbor config view [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-config.md b/doc/cli-docs/harbor-config.md
@@ -55,7 +55,7 @@ Categories available:
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-context-delete.md b/doc/cli-docs/harbor-context-delete.md
@@ -45,7 +45,7 @@ harbor context delete <item> [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-context-get.md b/doc/cli-docs/harbor-context-get.md
@@ -40,7 +40,7 @@ harbor context get <item> [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-context-list.md b/doc/cli-docs/harbor-context-list.md
@@ -28,7 +28,7 @@ harbor context list [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-context-switch.md b/doc/cli-docs/harbor-context-switch.md
@@ -28,7 +28,7 @@ harbor context switch harbor-cli@https-demo-goharbor-io
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-context-update.md b/doc/cli-docs/harbor-context-update.md
@@ -41,7 +41,7 @@ harbor context update <item> <value> [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-context.md b/doc/cli-docs/harbor-context.md
@@ -29,7 +29,7 @@ harbor context list
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-cve-allowlist-add.md b/doc/cli-docs/harbor-cve-allowlist-add.md
@@ -29,7 +29,7 @@ harbor cve-allowlist add [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-cve-allowlist-list.md b/doc/cli-docs/harbor-cve-allowlist-list.md
@@ -22,7 +22,7 @@ harbor cve-allowlist list [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-cve-allowlist.md b/doc/cli-docs/harbor-cve-allowlist.md
@@ -28,7 +28,7 @@ harbor cve-allowlist list
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```
 

diff --git a/doc/cli-docs/harbor-health.md b/doc/cli-docs/harbor-health.md
@@ -28,7 +28,7 @@ harbor health [flags]
 
 ```sh
   -c, --config string          config file (default is $HOME/.config/harbor-cli/config.yaml)
-  -o, --output-format string   Output format. One of: json|yaml
+  -o, --output-format string   Output format. One of: json|yaml|csv
   -v, --verbose                verbose output
 ```