26.5 · May 15 Try it free →
Getting started

Updating PII Crawler

Last updated May 2026

PII Crawler ships as a single binary, so updating is a swap: download the new build, replace the old file, done. The fastest way is the built-in piicrawler update command, which fetches the latest build for your platform, verifies its SHA-256, and replaces the running binary in place. If you would rather do it yourself, the manual steps below still work.

Your data is never touched by an update. Scans, findings, triage verdicts, custom regex rules, terms lists, and your license all live in ~/.piicrawler/piicrawler.db (the same path on Linux, macOS, and Windows, relative to your home directory) — completely separate from the piicrawler binary. Replacing the binary preserves everything.

Update in place with piicrawler update

piicrawler update

What it does:

  1. Fetches https://downloads.eligian.com/piicrawler-cli-<platform>.json for your OS / architecture.
  2. Compares the build timestamp baked into your running binary against the published one and tells you whether an update is available.
  3. Asks for [y/N] confirmation, then downloads the matching archive, verifies its SHA-256 against the metadata, extracts the binary, and atomically replaces the file at std::env::current_exe() (the path of the binary you just ran).

Useful flags:

  • --yes / -y — skip the confirmation prompt (for scripted upgrades).
  • --force / -f — reinstall even when the local build is already at or newer than the published one.

Platform notes:

  • Linux and macOS swap the file with rename(2). Any already-running piicrawler processes (e.g. a long serve or watch) keep using the old binary until they exit; new invocations pick up the new build.
  • Windows cannot overwrite a running .exe, so the live binary is renamed to piicrawler.exe.old and the new bytes are written at the original path. Delete piicrawler.exe.old once no piicrawler.exe processes remain. The Windows update path always pulls the Azure-Trusted-Signing-signed zip (piicrawler-cli-windows-signed.zip), so SmartScreen continues to recognise the binary across upgrades.
  • If your platform or architecture is not currently published (for example Linux ARM), the command exits with a friendly error and points you at the download page. Use the manual steps below in that case.

If the install path is in a privileged directory (for instance /usr/local/bin/), run sudo piicrawler update so the swap has permission to write there.

Check your current version

Run:

piicrawler help

The first line of the output is PIICrawler v<version>. The TUI also shows the running version in its title bar.

The latest published version is on the download page.

Manual update steps

If you prefer to update by hand (for example because the install path needs administrative permissions, or you are deploying with a configuration management tool), download the build for your OS from the download page, then overwrite the binary in the same location you installed it.

macOS (Apple Silicon)

unzip piicrawler-cli-macos-arm.zip
sudo mv -f piicrawler /usr/local/bin/

The new build is signed and notarized, so Gatekeeper will not prompt again on launch.

Linux (x86_64)

tar -xzf piicrawler-cli-linux.tar.gz
sudo mv -f piicrawler /usr/local/bin/

Windows (x86_64)

  1. Quit any running piicrawler.exe process (the TUI, serve, or watch) — Windows will not let you overwrite a binary that is in use.
  2. Unzip piicrawler-cli-windows.zip.
  3. Move piicrawler.exe into the same folder you installed it (e.g. C:\Users\<you>\bin), overwriting the old file.

Verify the upgrade

piicrawler help

The version on the first line should match the build you just installed.

Air-gapped environments

In an air-gapped environment, transfer the new binary the same way you transferred the original (USB, internal mirror, your approved software-distribution channel) and follow the steps above. Your existing scans and license remain intact.

Was this page helpful?