Supported languages and frameworks
Vulkro does full source analysis on the languages below: it extracts endpoints, builds the route table, reads the access-control model, maps findings to OWASP API Top 10 categories, applies framework-aware taint tracking, and matches dependencies against a local CVE bundle. Everything runs offline.
Tiers
Language depth is split across the Free and Pro tiers. Because your first
vulkro login starts a 14-day trial of the full product, every language below
is available during the trial. See Accounts.
| Tier | Languages with full source analysis |
|---|---|
| Free | Python, JavaScript, TypeScript, Go |
| Pro | adds Java / Spring, Ruby, Kotlin, C#, PHP |
| Salesforce | Apex, Lightning Web Components, Aura, Flow, Visualforce, metadata - the separate Vulkro for Salesforce product (vulkro-sf) |
Java and Spring have first-class support: endpoint extraction, access-control extraction from annotations and the security filter chain, 30 dedicated Java detectors, cross-method taint, and Maven dependency-CVE matching. See the Java and Spring page.
Capability matrix
| Language | Endpoint discovery | Access model | Interprocedural taint | Dedicated detectors | SCA ecosystem |
|---|---|---|---|---|---|
| Python | Yes | Yes | Yes | Yes | PyPI |
| JavaScript / TypeScript | Yes | Yes | Yes | Yes | npm |
| Go | Yes | Yes | Yes | Yes | Go modules |
| Java / Spring | Yes | Yes | Yes (same-file) | Yes (30) | Maven |
Interprocedural taint for Python, JavaScript, TypeScript, and Go follows the project call graph, including across files (bounded depth). Java taint follows same-file call chains; it does not yet cross file boundaries. See Taint analysis.
For any stack not listed above, Vulkro still runs the language-agnostic passes (secrets, infrastructure-as-code, container scanning, and dependency-CVE matching wherever the manifest is one of the parsed ecosystems below), but framework-aware endpoint discovery and taint tracking depend on first-class support. If your stack is missing, email support@vulkro.com with the framework name and a small example repo and we add coverage based on real demand.
Web frameworks
Python
FastAPI, Flask, Django, Django REST Framework (DRF), Django Ninja, Starlette, aiohttp, Tornado, Litestar.
JavaScript / TypeScript
Express, Fastify, NestJS, Next.js (App Router and Pages Router), Hono, Koa, Hapi, Elysia, AdonisJS, tRPC.
Go
net/http, Gin, Echo, Chi, gorilla/mux, Fiber.
Java / Spring
Spring MVC and Spring WebFlux (@GetMapping / @PostMapping / @PutMapping /
@DeleteMapping / @PatchMapping / @RequestMapping, class-level base paths
included) and JAX-RS (@Path with @GET / @POST / @PUT / @DELETE /
@PATCH / @HEAD / @OPTIONS). See Java and Spring.
Salesforce
Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce, and
metadata) is covered by the separate Vulkro for Salesforce
product (the vulkro-sf binary), not by this scanner. See the
Vulkro for Salesforce docs.
Cross-cutting
- GraphQL (Apollo, graphql-yoga, Strawberry, graphene)
- gRPC
- WebSocket (ws, Socket.IO, Starlette WebSockets)
- React (client-side surface for XSS and DOM-sink analysis)
- Angular (same)
Package ecosystems for dependency-CVE matching
| Ecosystem | Manifests parsed | Resolved version from | Status |
|---|---|---|---|
| npm | package.json | package-lock.json | Parsed |
| PyPI | requirements*.txt, Pipfile, pyproject.toml | poetry.lock, Pipfile.lock | Parsed |
| Go modules | go.mod | go.mod (MVS) | Parsed |
| crates.io | Cargo.toml | Cargo.lock (manifest dir or workspace root) | Parsed |
| Maven | pom.xml (<dependencies>) | <version> / <properties> (no parent-POM / BOM) | Parsed |
| Gradle | build.gradle, build.gradle.kts | - | Not yet |
| RubyGems | Gemfile, Gemfile.lock | - | Not yet |
| Packagist | composer.json, composer.lock | - | Not yet |
| NuGet | *.csproj, packages.config | - | Not yet |
Maven (pom.xml) is parsed for CVE matching, so a Java / Spring project gets
dependency coverage on top of its source analysis. Gradle dependency
declarations are not yet parsed: a Gradle project is still detected as Java and
scanned for code, but its build.gradle dependencies do not produce CVE
findings. Cargo (Rust) and crates.io are dependency-CVE only - they broaden
supply-chain coverage without adding Rust source analysis.
The live OSV lookup covers every Parsed ecosystem. Fully offline
(VULKRO_OFFLINE=1) matching additionally needs that ecosystem's file in the
local CVE bundle; the default bundle ships npm + PyPI, and a wider bundle can
be built to include Go, Maven, and crates.io. Go, Cargo, and Maven findings are
not in the reachability call-shape set, so they are emitted without a
[reachable] / [unreachable] tag. Secrets, IaC, and container scanning run
on every repo.
Linux distro packages (container scanning)
For vulkro container against Docker images: Alpine, Debian, Ubuntu, Rocky
Linux. Distro coverage is opt-in because the per-distro CVE feed is large;
enable it with the container ecosystem flag on vulkro update.
Infrastructure-as-code
Vulkro statically analyses these formats for misconfiguration:
- Terraform (
*.tf) - Kubernetes manifests (
*.yaml) - Helm charts (
values.yaml, templates) - Docker Compose (
docker-compose.yml,compose.yaml) - Dockerfiles
- nginx, Apache (
nginx.conf,*.conf)
Secrets scanning (vulkro scan --scope src) and infrastructure
misconfiguration checks work on any text-based file, regardless of language.
What "not yet supported" means in practice
If your stack uses a language or framework that is not on the lists above:
- Endpoint discovery will not enumerate your routes automatically.
- Taint analysis will fall back to generic sources / sinks and may miss framework-specific patterns.
- Reachability gating will be less precise: findings tagged reachable are conservatively over-reported rather than missed.
- Secrets, dependency-CVE, IaC, and container scans are unaffected and continue to work.
The honest read: Vulkro is most accurate on the stacks listed here. We add new frameworks every release based on what paying customers ship.