PCI-DSS 4.0
Profile name: pci
Vulkro evaluates the application-security-relevant requirements of PCI-DSS 4.0:
- Req 6 - Develop and Maintain Secure Systems and Applications
- Req 11 - Test Security of Systems and Networks Regularly
Network-segmentation, key-management, and physical-security requirements (Req 1, 3, 9, etc.) are out of scope for a static code scanner.
Run it
vulkro compliance . --profile pci
High-traffic mappings
| Vulkro finding category | PCI-DSS 4.0 |
|---|---|
Injection | 6.2.4 |
BrokenAuthentication | 8.3 |
BrokenObjectLevelAuth | 7.2.5 |
Hardcoded secret | 8.6.1 |
Weak crypto | 4.2.1, 6.2.4 |
XSS | 6.2.4 |
CSRF | 6.2.4 |
SecurityMisconfiguration | 6.4.1 |
Vulnerable dependency | 6.3.1, 6.3.2 |
Special handling
PCI-DSS 4.0 introduced explicit targeted-risk-analysis documentation for
custom security controls. Vulkro's confidence_reason field is designed
to drop straight into a TRA: it explains why the engine fired and what
would mark this a false positive.
Cardholder-data scope
Vulkro's privacy engine detects PCI-relevant fields in API request/response shapes:
card_number,cc_number,pancvv,cvc,cv2expiry,expire_date
Findings on these fields are tagged with compliance_controls: ["PCI 3.4", "PCI 3.5"]
even when the underlying issue is something more general like
"unencrypted log statement". Useful for spotting cardholder-data leakage
that wouldn't otherwise hit a security check.