Supported languages and frameworks
Vulkro understands the listed languages and frameworks below at a first-class level: it extracts endpoints, builds the route table, applies framework-aware taint sources / sinks, and maps findings to OWASP API Top 10 categories.
For anything not on this list, Vulkro still runs the language-agnostic passes (secrets, dependency CVEs, IaC, container scanning), but endpoint discovery and reachability gating will be limited.
If your stack is missing, email support@vulkro.com with the framework name and a small example repo — we add coverage based on real demand.
Languages
| Language | Endpoint discovery | Taint analysis | Secrets | Dep CVE |
|---|---|---|---|---|
| Python | Yes | Yes | Yes | Yes |
| JavaScript | Yes | Yes | Yes | Yes |
| TypeScript | Yes | Yes | Yes | Yes |
| Go | Yes | Yes | Yes | Yes |
| Ruby | Yes | Yes | Yes | Yes |
| Java | Yes | Yes | Yes | Yes |
| Kotlin | Yes | Yes | Yes | Yes |
| C# | Yes | Yes | Yes | Yes |
| PHP | Yes | Yes | Yes | Yes |
Secrets scanning (vulkro scan --scope src) and infrastructure
misconfiguration checks work on any text-based file, regardless of
language.
Web frameworks
Python
- FastAPI
- Flask
- Django
- Django REST Framework (DRF)
- Django Ninja
- Starlette
- aiohttp
- Tornado
- Litestar
JavaScript / TypeScript
- Express
- Fastify
- NestJS
- Next.js (App Router and Pages Router)
- Hono
- Koa
- Hapi
- Elysia
- AdonisJS
- tRPC
Go
net/http- Gin
- Echo
- Chi
- gorilla/mux
- Fiber
Ruby
- Rails
- Sinatra
- Hanami
Java / Kotlin
- Spring Boot
C# / .NET
- ASP.NET Core
PHP
- Laravel
Cross-cutting
- GraphQL (Apollo, graphql-yoga, Strawberry, graphene)
- gRPC
- WebSocket (ws, Socket.IO, Starlette WebSockets)
- React (client-side surface for XSS and DOM-sink analysis)
- Angular (same)
Package ecosystems for dependency CVE matching
| Ecosystem | Manifest formats |
|---|---|
| npm | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| PyPI | requirements*.txt, pyproject.toml, Pipfile.lock, poetry.lock, uv.lock |
| Maven | pom.xml, build.gradle, build.gradle.kts |
| Go modules | go.mod, go.sum |
| crates.io | Cargo.toml, Cargo.lock |
| RubyGems | Gemfile, Gemfile.lock |
| Packagist | composer.json, composer.lock |
| NuGet | *.csproj, packages.config, packages.lock.json |
Linux distro packages (container scanning)
For vulkro container against Docker images:
- Alpine
- Debian
- Ubuntu
- Rocky Linux
Distro coverage is opt-in because the per-distro CVE feed is large.
Enable it with the container ecosystem flag on vulkro update.
Infrastructure-as-code
Vulkro statically analyses these formats for misconfiguration:
- Terraform (
*.tf) - Kubernetes manifests (
*.yaml) - Helm charts (
values.yaml, templates) - Docker Compose (
docker-compose.yml,compose.yaml) - Dockerfiles
- nginx, Apache (
nginx.conf,*.conf)
What "not yet supported" means in practice
If your stack uses a language or framework that is not on the lists above:
- Endpoint discovery will not enumerate your routes automatically.
- Taint analysis will fall back to generic sources / sinks and may miss framework-specific patterns.
- Reachability gating will be less precise — findings tagged as "reachable" are conservatively over-reported rather than missed.
- Secrets, dependency CVE, IaC, and container scans are unaffected and continue to work.
The honest read: Vulkro is most accurate on the stacks listed here. We add new frameworks every release based on what paying customers ship.