Skip to main content

Vulkro for open-source maintainers.

If you maintain an open-source project, you already know the shape of the problem: the code is public, the time is not, and the commercial scanners either price by contributor count, keep their free tiers shallow on purpose, or lock you to one CI provider. Vulkro's answer is direct: maintainer teams of active open-source projects are issued full licenses at no charge, on request. The honest trade is that Vulkro itself is closed source and requires an account; what is public is the benchmark harness, the methodology, and the ground-truth corpus, so you can verify the scanner before you ask.

How it works: the scanner requires an account, and a 14-day trial of the full product starts on your first login. After that, active maintainer teams of meaningful OSS projects get a license at no charge, on request (see Maintainer licenses below). No contributor-count cap, no CI lock-in, unlimited repos.

What you get

CapabilityVulkro
Languages (deep analysis: endpoints + cross-file taint)JavaScript, TypeScript, Python, Go, and Java (Spring, newly added)
Dependency CVEs (SCA)npm, PyPI, Go, Cargo, Maven; signed offline bundle (OSV + NVD + CISA KEV + EPSS)
FrameworksFastAPI, Flask, Django, Express, Fastify, NestJS, Next.js, gRPC, GraphQL, Gin, Echo, and more
OWASP API Top 10Yes
Supply chain catalogCompromised release detection (event-stream, ua-parser-js, xz-utils, the Axios March 2026 incident, others)
Secrets scanningYes, with entropy + provider-family regex
Auth / IDOR / injection / mass-assignmentYes
Output formatsTable, JSON, NDJSON, SARIF, gh-pr inline comments
CVE bundle updatesSigned offline bundle, kept current
MCP host audits + extension auditsYes
vulkro respond incident responseYes
vulkro scan-mcp-server MCP server scanYes
Unlimited reposYes

The same license also carries the deep detector packs (and new packs as they ship), compliance evidence, portfolio, and the heavy output formats (CycloneDX, SPDX, CBOM, PDF, RoPA). There is one product, not a tier ladder: the trial and the issued license both cover everything above.

GitHub Actions in 8 lines

name: vulkro
on: [pull_request, push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: curl -fsSL https://install.vulkro.com | sh
- run: vulkro scan --format sarif --output vulkro.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vulkro.sarif

That posts findings to the GitHub Code Scanning tab, the same surface that CodeQL writes to. Vulkro and CodeQL coexist on different rule sets and either both pass or you triage the delta. The runner needs your Vulkro account connected, same as any machine that scans; the install guide covers connecting the CLI, including the license-file route that suits CI.

Baseline + ratchet for legacy projects

A 10-year-old repo will not pass a fresh SAST scan on day one. Vulkro's baseline workflow is built for the retrofit case:

vulkro scan --baseline .vulkro-baseline.json # writes current state
# commit the baseline
vulkro scan --ratchet # only NEW findings fail

After that, contributors only see findings their PR introduces. Existing debt becomes a separate "burn down the baseline" project, on whatever cadence you have time for.

Inline suppressions when you need them

# vulkro:disable[hardcoded-secret] until=2026-08-01 reason="test fixture"
TEST_API_KEY = "sk-test-1234567890"

The until= date is a soft deadline: once it passes, Vulkro keeps honouring the suppression but emits a low-severity suppression-expired finding so you remember to revisit. Same mechanism works for any rule id.

Honest comparison to the alternatives

The depth gap with the free tiers is measurable: on our published corpus, Semgrep CE finds 15 of the 76 catalogued bugs in the languages both tools support, where Vulkro finds 44.

CodeQL is strong and free for public repos, but locked to one CI provider.

VulkroSemgrep CECodeQL via GHASSnyk Open Source
Account requiredYesNoGitHubYes
Cost for OSS$0 (14-day trial, then maintainer license on request)$0 (CE)$0 for public repos$0 (free tier)
Deep-analysis languagesJS, TS, Py, Go, Java (Spring)30+1110+
Catalogued bugs caught (public corpus, 76 bugs)4415n/an/a
Precision on the same corpus0.810.62n/an/a
F1 on the same corpus0.680.30n/an/a
Cross-file taint flowYesPro-tierYesYes
CI provider lock-inNoneNoneGitHub-onlyNone
Supply chain catalogYesPro-tierNoYes

Reproduce the benchmark rows yourself:

bench/comparison/run.sh # regenerates scorecard-latest.md on the public corpus

The corpus is versioned and grows: we grew our own ground truth to 90 catalogued bugs in July 2026 and published the recall drop that came with it. The numbers above regenerate from that one command.

Maintainer licenses

All Vulkro licenses are issued directly by our team, and OSS maintainer teams are issued theirs at no charge. Email hello@vulkro.com with a link to the repo. Active maintainer teams of meaningful OSS projects get licenses for free.

Install · Benchmark · CLI reference