What is Vulkro?
Vulkro is an offline-first API security scanner and codebase intelligence tool. It extracts every HTTP endpoint in your codebase without running anything, scans for OWASP API Top 10:2023 vulnerabilities, matches dependencies against a local CVE bundle (OSV + NVD + CISA KEV + EPSS), audits git history for committed secrets, and produces an evidence trail nine compliance frameworks can read.
No AI. No network calls (when you set VULKRO_OFFLINE=1). No telemetry. No
runtime required by your app.
Why it exists
Most security scanners assume a SaaS posture: you ship your code to their cloud, they ship findings back. That posture is a non-starter for regulated industries, on-premise teams, and air-gapped environments - and it makes reproducible CI gating awkward (the model on their cloud last week is not guaranteed to be the model that scans your PR today).
Vulkro is the opposite shape:
- One binary, deterministic. Same input, same output, every run.
- Local everything. Findings, scan history, triage state, CVE bundle - all on your machine.
- CI-ready as a black box. Exit
1on Critical/High after--min-confidencefiltering, SARIF / JUnit / GitHub-PR-comment outputs.
What it covers
| Surface | What you get |
|---|---|
| Discovery | Every HTTP route from Node/TS (Express, Fastify, NestJS, Next.js App+Pages, Koa, Hono, Elysia, AdonisJS, tRPC) |
| Auth model | AuthTier (Anonymous / User / Admin / Service / Machine / Unknown), per-endpoint scopes, TenantScoping (ScopedByTenant / GlobalNoTenant / Unknown). BFLA + IDOR rules consult this metadata to suppress findings already covered by visible auth gates. |
| Security | OWASP API Top 10:2023 + LLM Top 10, plus 50+ specialised detectors (IDOR, CSRF, SSTI, XSS, command/SQL injection, SSRF, mass assignment, webhook signature bypass, weak crypto, slopsquat-style typosquatted packages, GraphQL safe-pattern checks). |
| Secrets | Hardcoded keys/tokens/passwords across .env, source, config, IaC, k8s manifests. Provider-format escalation. Git-history audit (last 500 commits, up to 2 years). |
| Dependencies | Local CVE matching against OSV + NVD. KEV / EPSS prioritisation. Reachability gating (--reachable-only drops findings whose vulnerable symbols aren't called from your code). |
| Cross-service intelligence | vulkro portfolio correlates outgoing HTTP calls in repo A against provider endpoints in repo B (consumer-to-producer matching). Emits cross-service taint flows ("PII flows from frontend-app to users-service via POST /api/users"). |
| OpenAPI emit | vulkro openapi <path> generates an OpenAPI 3.1 spec from your discovered endpoints with x-vulkro-tier, x-vulkro-scopes, x-vulkro-tenant-scoped extensions. The inverse of the spec-vs-code drift check. |
| RBAC matrix | vulkro rbac <path> emits a Markdown or JSON matrix of METHOD PATH x AuthTier for audit handoff. |
| Compliance | Map findings to ASVS, OWASP Top 10:2021, PCI-DSS 4.0, SOC 2, HIPAA, NIST SSDF, ISO 27001, CIS v8, GDPR. vulkro compliance-pack --framework soc2|iso27001|hipaa writes an audit-ready evidence bundle (manifest + per-control JSON + CSV + Markdown summary). |
| Privacy | PII / PHI inventory in API request and response shapes. |
| DAST | vulkro probe --base-url <url> runtime-confirms 13 attack classes against a running app. |
| Containers | vulkro container <image> scans a built Docker image (apk + deb installed packages) against the local CVE database. |
| Editor integration | LSP server + VSCode extension scaffold. Diagnostics on save, hover-to-explain, quick-fix code actions. |
| Self-update | Opportunistic check against the Vulkro release feed on every invocation, cached 24 h. Opt out with VULKRO_NO_UPDATE_CHECK=1. vulkro upgrade runs the install script explicitly. |
What it does not do
- It does not run your code. Scans are static.
- It does not exfiltrate findings. The default install fetches a signed CVE
bundle on first run;
VULKRO_OFFLINE=1skips that. - It does not replace a manual code review. It surfaces 80% of the findings a reviewer would find at 1% of the wall-clock cost.
- It does not pretend to be perfect. The benchmark - measured on 13 deliberately
vulnerable repos and 8 popular real SaaS codebases - is published, reproducible,
and used as a CI gate on every detector PR. See Benchmark.
Headline at production-recommended settings (
--min-confidence high) on the popular-SaaS Tier 3 corpus: vulkro emits 523 findings vs Semgrep CE 1,992 vs Bearer 2.0 6,906 - vulkro is the quietest of the three on 6 of 8 repos.
Where to go next
- Install - one-line installer for macOS, Linux, Windows, and Windows.
- Run your first scan -
vulkro scan .and what to do with the output. - Drop into CI - copy-paste GitHub Actions / GitLab CI / pre-commit configs.