Skip to main content

vulkro scan

The full security pipeline: endpoint extraction + OWASP API Top 10:2023 + secrets + dependencies (CVE) + taint + reachability + privacy + IaC + git history. Exit 1 on any Critical/High finding (after --min-confidence).

Usage

vulkro scan [PATH] [FLAGS]

Arguments

ArgumentDescriptionDefault
PATHProject root..

Flags

FlagDescription
--format, -f <FMT>table, json, sarif, gh-pr, junit, csv, cyclonedx, spdx, pdf, ropa-md, ropa-html. Default: table.
--verbose, -vShow file paths and line numbers per finding.
--savePersist the run to ~/.vulkro/scans.db and snapshot trends.
--baseline <FILE>Compare findings against a saved baseline JSON; only emit new findings. See also: Baselines explained.
--rules <PATH>Extra rule pack file or directory of *.toml files.
--profile <NAME>Attach a compliance evaluation: owasp-asvs, pci, soc2.
--min-confidence <LEVEL>medium (default), high, low. Filters before exit-code computation.
--all-confidence (alias --all)Equivalent to --min-confidence low. Surfaces every heuristic finding.
--gateApply the [quality_gate] section of vulkro.toml. Replaces the default Critical/High exit policy.
--validate-secretsOFF by default. When set, each detected secret is probed against its provider API and tagged [live], [dormant], or [unknown].
--gate-vs <REF>Restrict findings to lines that changed vs the given git ref. The exit code reflects only diff-scoped findings - the "block PRs that introduce new issues" lane.
--scope <KIND>all (default) shows every finding. src drops Dockerfile / lockfile / IaC / template / docs findings while keeping .env* and k8s manifests.

Confidence model

The default is --min-confidence medium - Medium and High findings emit; Low-confidence heuristic findings (test/example/migration code matches, pattern-only fires without corroboration) are hidden unless explicitly requested. Vulkro is tuned for high recall at the engine level and graduated precision at the display level.

vulkro scan .                          # medium + high (default - typical day-to-day)
vulkro scan . --min-confidence high    # high only - production-recommended for CI gates
vulkro scan . --all-confidence         # everything, including Low (audit / debug mode)

At --min-confidence high on the public 13-repo vulnerability corpus: precision 0.76, recall 0.57, F1 0.65 - beats Semgrep CE (F1 0.32) and Bearer (F1 0.45) outright. See Confidence model for the calibration table and the cumulative-evidence aggregator that governs how detector findings clear each tier.

Inline suppression

Add a comment in the source instead of a config file:

# vulkro-disable-next-line BrokenAuthentication
@router.get("/health")
def health(): ...
// vulkro-disable-next-line BrokenAuthentication
app.get("/internal/ping", noAuth);

/* vulkro-disable-next-line API1 */
db.query(`SELECT * FROM ${table}`);

vulkro-disable-file at the top silences every finding in that file. Suppression counts are reported in the scan summary so you can audit them.

Diff-scoped scans

Block PRs only on new findings vs a base ref:

vulkro scan . --gate-vs main

Findings outside the changed-line set are still reported in JSON for completeness but the exit code reflects only diff-scoped findings. Combine with --baseline for richer comparisons.

Persisting runs

vulkro scan . --save
vulkro history
vulkro diff main
vulkro trends

State lives at ~/.vulkro/scans.db (SQLite). vulkro diff matches findings by stable finding_key so re-orderings, whitespace changes, and refactors don't trip the diff.

Examples

# Default - colourised summary, exit 1 on Critical/High.
vulkro scan .

# CI: SARIF for code-scanning + a separate gating call.
vulkro scan . --format sarif > vulkro.sarif
vulkro scan . --min-confidence high          # gate

# PR-scoped review.
vulkro scan . --gate-vs origin/main --format gh-pr > comment.md

# Gather everything for an audit, scoped to source code only.
vulkro scan . --all-confidence --scope src --format json > audit.json
Last updated on