Desktop console
vulkro serve launches a local web app on 127.0.0.1:8723 and
auto-opens your browser. State (projects, scans, triage, settings)
persists to SQLite on disk - your work survives Ctrl-C.
Launch
vulkro serve # build UI + run release server, opens browser
vulkro serve --port 9000 # bind to a different port
vulkro serve --no-browser # don't auto-open
Where state lives
| OS | Path |
|---|---|
| macOS | ~/Library/Application Support/Vulkro/vulkro-desktop.db |
| Linux | ~/.local/share/Vulkro/vulkro-desktop.db |
| Windows | %APPDATA%\Vulkro\vulkro-desktop.db |
Schema: SQLite, projects -> scans -> findings -> triage notes.
Tabs
| Tab | What it shows |
|---|---|
| Endpoints | Filterable, sortable table of every detected endpoint with auth status, framework, source location. |
| Findings | Master list. Group by severity, OWASP category, file, or owner. |
| Privacy | PII / PHI fields per endpoint, mapped to GDPR / HIPAA controls. |
| Access control | IDOR / BOLA / function-level findings, grouped by route. |
| CSRF | CSRF-related findings + missing token middleware. |
| Injection | SQLi / XSS / SSTI / command injection grouped together. |
| IaC | Findings on Terraform, Helm, k8s manifests, Dockerfile, docker-compose. |
| Dependencies | CVE matches, KEV/EPSS decoration, reachability tags. |
| Secrets | Hardcoded secrets (current tree). |
| Git history | Secrets ever committed (last 500 commits / 2 yrs). |
| Containers | Output from vulkro container runs. |
| Licenses | Package-licence inventory + flagged copyleft / unknown licences. |
| OpenAPI | Score against the inferred spec; gaps and inconsistencies. |
| Compliance | Pass/fail per control across the nine frameworks. |
| Trends | Risk-score, finding-count, MTTR, risk-debt over saved scans. |
| Hotspots | Sortable heatmap of churn x risk per module. |
| Contributors | Top contributors, bus factor per module, ownership coverage. |
| Compare scans | Per-finding delta between two scans of the same project. |
| Code quality | Complexity, duplicates, dead code, coverage. |
| CVE Database | Per-ecosystem CVE record counts; Quick Sync, Apply Bundle. |
Triage workflow
Every finding can be marked one of:
triaged- looked at, not yet decided.accepted-risk- known issue, deliberately won't fix.false-positive- not a real bug.wont-fix- real but de-prioritised.
Triage state persists across scan runs (matched by stable finding_key)
so the same suppression doesn't reappear next scan. Bulk-triage from the
FilterBar; export to a vulkro-suppress.yaml for source-controlled
triage.
Re-scan
The console exposes a Re-scan button that triggers POST /api/scan
on the embedded server. Useful while iterating - make a code change,
hit Re-scan, see the deltas without leaving the browser.
Quick Sync (CVE Database tab)
Clicking Quick Sync runs the same path as vulkro update (CDN
fetch, signature verify, atomic apply). Useful when your CI dropped the
bundle and you want fresh CVE data without leaving the browser.
Related
vulkro serve- See also: Baselines explained - when the UI's
baseline-scan flag applies vs the CLI's
.vulkro-baseline.jsonfile, and how the Export-for-CI button bridges the two.