What is Vulkro?
Vulkro is an offline-first API security scanner and codebase intelligence tool. It extracts every HTTP endpoint in your codebase without running anything, scans for OWASP API Top 10:2023 vulnerabilities, matches dependencies against a local CVE bundle (OSV + NVD + CISA KEV + EPSS), audits git history for committed secrets, and produces an evidence trail nine compliance frameworks can read.
It does full source analysis for Python, JavaScript/TypeScript, and Go on the Free tier, and for Java/Spring and more on the trial and Pro. Java gets first-class Spring Boot support: endpoint and access-control extraction, 30 dedicated detectors, cross-method taint, and Maven dependency-CVE matching (see Java and Spring). Other ecosystems still get dependency-CVE (SCA) matching from their manifests. Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce, and metadata) is the separate Vulkro for Salesforce product, not this scanner. See Supported languages and frameworks. The free Vulkro Labs tools that vet what your AI agent pulls into a project are documented under Vulkro Labs.
No AI. No network calls (when you set VULKRO_OFFLINE=1 with a license
file). No content telemetry: the account entitlement check sends six usage
fields (product, install id, version, OS, timestamp, scan count), never
code, paths, or findings. No runtime required by your app. An account is
required to scan; a 14-day trial of the full product starts on
your first vulkro login.
Why it exists
Most security scanners assume a SaaS posture: you ship your code to their cloud, they ship findings back. That posture is a non-starter for regulated industries, on-premise teams, and air-gapped environments - and it makes reproducible CI gating awkward (the model on their cloud last week is not guaranteed to be the model that scans your PR today).
Vulkro is the opposite shape:
- One binary, deterministic. Same input, same output, every run.
- Local everything. Findings, scan history, triage state, CVE bundle - all on your machine.
- CI-ready as a black box. Exit
1on Critical/High after--min-confidencefiltering, SARIF / JUnit / GitHub-PR-comment outputs.
What it covers
| Surface | What you get |
|---|---|
| Discovery | Every HTTP route from Node/TS (Express, Fastify, NestJS, Next.js App+Pages, Koa, Hono, Elysia, AdonisJS, tRPC), Python (FastAPI, Flask, Django+DRF+Ninja, Starlette, aiohttp, Tornado, Litestar - with include_router(prefix=) / Blueprint(url_prefix=) / urls.py correlation so paths match what the server actually serves), Go (net/http, gin, echo, chi, fiber, gorilla mux), and Java/Spring (the Spring MVC mapping annotations with class-level base paths, plus JAX-RS). |
| Auth model | AuthTier (Anonymous / User / Admin / Service / Machine / Unknown), per-endpoint scopes, TenantScoping (ScopedByTenant / GlobalNoTenant / Unknown). BFLA + IDOR rules consult this metadata to suppress findings already covered by visible auth gates. |
| Security | OWASP API Top 10:2023 + LLM Top 10, plus 50+ specialised detectors (IDOR, CSRF, SSTI, XSS, command/SQL injection, SSRF, mass assignment, webhook signature bypass, weak crypto, slopsquat-style typosquatted packages, GraphQL safe-pattern checks). |
| Secrets | Hardcoded keys/tokens/passwords across .env, source, config, IaC, k8s manifests. Provider-format escalation. Git-history audit (last 500 commits, up to 2 years). |
| Dependencies | Local CVE matching against OSV + NVD. KEV / EPSS prioritisation. Reachability gating (--reachable-only drops findings whose vulnerable symbols aren't called from your code). |
| Cross-service intelligence | vulkro portfolio correlates outgoing HTTP calls in repo A against provider endpoints in repo B (consumer-to-producer matching). Emits cross-service taint flows ("PII flows from frontend-app to users-service via POST /api/users"). |
| OpenAPI emit | vulkro openapi <path> generates an OpenAPI 3.1 spec from your discovered endpoints with x-vulkro-tier, x-vulkro-scopes, x-vulkro-tenant-scoped extensions. The inverse of the spec-vs-code drift check. |
| RBAC matrix | vulkro rbac <path> emits a Markdown or JSON matrix of METHOD PATH x AuthTier for audit handoff. |
| Compliance | Map findings to ASVS, OWASP Top 10:2021, PCI-DSS 4.0, SOC 2, HIPAA, NIST SSDF, ISO 27001, CIS v8, GDPR. vulkro compliance-pack --framework soc2|iso27001|hipaa writes an audit-ready evidence bundle (manifest + per-control JSON + CSV + Markdown summary). |
| Privacy | PII / PHI inventory in API request and response shapes. |
| DAST | vulkro probe --base-url <url> runtime-confirms 13 attack classes against a running app. |
| Containers | vulkro container <image> scans a built Docker image (apk + deb installed packages) against the local CVE database. |
| Editor integration | LSP server + VSCode extension scaffold. Diagnostics on save, hover-to-explain, quick-fix code actions. |
| Self-update | Opportunistic check against the Vulkro release feed on every invocation, cached 24 h. Opt out with VULKRO_NO_UPDATE_CHECK=1. vulkro update does a fresh check, prompts to run the install script, then refreshes CVE data. |
What it does not do
- It does not run your code. Scans are static.
- It does not exfiltrate findings. The default install fetches a signed CVE
bundle on first run;
VULKRO_OFFLINE=1skips that. - It does not replace a manual code review. It surfaces a large share of the findings a reviewer would flag, in a fraction of the wall-clock time, and publishes its exact precision and recall on a reproducible benchmark.
- It does not pretend to be perfect. The benchmark - measured on 13 deliberately
vulnerable repos and 8 popular real SaaS codebases - is published, reproducible,
and used as a CI gate on every detector PR. See Benchmark.
Headline at production-recommended settings (
--min-confidence high) on the popular-SaaS Tier 3 corpus: vulkro emits 523 findings vs Semgrep CE 1,992 vs Bearer 2.0 6,906 - vulkro is the quietest of the three on 6 of 8 repos.
Where to go next
- Install - one-line installer for macOS, Linux, and Windows.
- Run your first scan -
vulkro scan .and what to do with the output. - Java and Spring - full SAST for Java with first-class Spring Boot support.
- Benchmark - the reproducible, same-corpus comparison against six other scanners.
- Drop into CI - copy-paste GitHub Actions / GitLab CI / pre-commit configs.