The best offline, airgapped SAST scanner
If you searched for an offline SAST tool, you already know the constraint: the code cannot leave the building. This page explains how Vulkro runs its entire analysis, including dependency and CVE checks, on a machine with no internet access, and what the trade-offs are.
The offline security scanner that beats Semgrep CE and Bearer on a published, reproducible benchmark. Your source code never leaves your machine.
The empty quadrant: paid, offline, single-binary
Plot the SAST market on two axes (does it run fully offline, and is it a paid product with a vendor on the hook) and one quadrant is nearly empty:
| Offline single-binary | Cloud / SaaS | |
|---|---|---|
| Free / OSS | Semgrep CE, Bearer CLI, Trivy | many free tiers |
| Paid, vendor-backed | Vulkro | Snyk, Semgrep AppSec, CodeScan, Checkmarx |
The free offline tools exist and are good, but you get community support and no benchmark you can hold a vendor to. The paid tools are almost all SaaS: to use them you connect a repo, upload code snippets, and accept telemetry. Vulkro sits in the empty quadrant: a paid, supported product that runs entirely on your machine as a single static binary, with a published benchmark you can reproduce.
What "offline" means here, precisely
- No source upload, ever. The detection engine runs locally. There is no "optional cloud feature" tier that quietly uploads code for deeper analysis.
- No content telemetry. The scanner never sends your code, file names, paths, or findings. The daily entitlement check carries exactly six usage fields (product, install id, version, operating system, timestamp, and a scan counter) and nothing else.
- An account, verified without your code. Vulkro requires an
account: sign up, run
vulkro login, and a 14-day trial of the full product starts on your first login. Air-gapped machines use a signed license file instead, verified locally with no network access. - Enforceable air-gap. Set
VULKRO_OFFLINE=1and the process makes zero network calls at the process boundary; with a license file installed the scanner runs fully disconnected. Deliver CVE bundles by USB, mirror, or internal feed for a truly disconnected machine.
See the air-gap install guide for the disconnected-machine workflow.
What it actually scans
One offline binary covers the surface that usually takes three or four tools:
- Application SAST across JavaScript/TypeScript, Python, Go, and Java (Spring): broken access control, injection, SSRF, IDOR, mass-assignment, auth bypass, found with cross-file taint flow.
- Secrets, including in your Git history.
- Infrastructure-as-code and container misconfiguration.
- Dependency CVEs (SCA) from a local bundle (OSV + NVD + KEV + EPSS) in the same scan.
- The OWASP API Top 10 and LLM Top 10 (LLM01 / LLM06).
The receipts: a benchmark you can reproduce
We do not ask you to trust a marketing claim. Vulkro publishes the benchmark harness, the ground-truth corpus, and the scoring code.
On our published corpus (15 deliberately vulnerable codebases, 90 catalogued bugs, of which 76 sit in the languages Vulkro analyzes deeply, scored at the default high-confidence setting):
| Vulkro | Semgrep CE 1.136.0 | Bearer 2.0.2 | |
|---|---|---|---|
| Catalogued bugs found (of 76) | 44 | 15 | 37 |
| False positives | 10 | 9 | 67 |
| Precision | 0.81 | 0.62 | 0.36 |
| Recall | 0.58 | 0.20 | 0.49 |
| F1 score | 0.68 | 0.30 | 0.41 |
| Total scan time | 34.4s | 38.6s | 247.5s |
That is 2.9x more catalogued bugs than Semgrep CE at higher precision in comparable scan time, and more bugs than Bearer with 6.7x fewer false positives at 7x its speed. In July 2026 we grew the ground truth from 69 to 90 bugs and published the recall drop that came with it; the corpus is versioned and the numbers regenerate from one command.
Clone the corpus, run the same commands, get the same numbers. The benchmark methodology walks through it end to end.
Why a closed-source product still publishes its benchmark
Vulkro's detectors are closed source: the detection engine is the licensed product, and that is what you pay for. What is public is the thing that matters for trust: the benchmark. The honest positioning is "publish the benchmark, ship reproducible results," not "read our detector code." You can verify the catch rate and the false-positive rate yourself without us handing over the rule engine.
Licensing built for offline buyers
An account is required; a 14-day trial of the full product starts on your first login, and Vulkro is licensed per seat, directly through our team: hello@vulkro.com. Air-gapped and strict-egress teams get a signed license file that satisfies the account requirement with no network access, plus offline CVE bundle delivery.
See the pricing page for how licensing works.
Honest scope
Offline is an architecture, not magic. Vulkro is a static analyzer: it does not probe running systems, it is not a DAST tool or a pentest, and its reachability ranking orders findings without claiming to prove exploitability. Deep analysis covers the languages listed above; other languages get dependency-CVE matching from the manifest, not code analysis.
Get started
curl -fsSL https://dist.vulkro.com/install.sh | sh
vulkro login
vulkro scan .
Your first login starts the 14-day trial. Then read the install guide for the air-gapped and offline-bundle variants.
See also: Vulkro vs Semgrep, Vulkro vs Bearer, Vulkro vs Trivy, Vulkro vs Snyk, Air-gap install, Benchmark.