MANIFESTO // WHY THIS EXISTS
Why your codestays on your laptop.
Why we built a security scanner with no AI inside it, for code written almost entirely by AI.
Vulkro exists because every other code-security scanner wants your code on their server. The cloud scanners upload it. The paid tiers of open-source scanners pull it through their cloud. The big enterprise vendors sell you a private instance and then ship telemetry by default with a checkbox buried two settings menus deep.
Your code is full of half-finished ideas, embarrassing comments, customer names in test fixtures, and secrets nobody has rotated yet. None of that needs to live on someone else's hard drive. Not for a free tier, not for a per-seat-per-month tier, not for the privilege of seeing a fraction of the bugs.
So Vulkro is a command-line tool. It reads your code on your machine and your code never leaves it. One scanner covers what a developer needs to ship safely and what regulated teams pay for: the OWASP API top 10, vulnerable dependencies, leaked secrets, broken auth, injection, the MCP and editor extension audits, CI-friendly output for GitHub Code Scanning, audit-ready compliance reports, a portfolio view across many projects, deep detection packs, and live API probing. It requires an account, and a 14-day trial of the full product starts on your first login. Vulkro is licensed per seat, directly through our team: write to hello@vulkro.com and we set you up. The benchmark is public, the methodology is documented, and you can run the full product for 14 days before deciding.
SECTION 01 // THE DEFAULT
Why offline is the only acceptable default.
Three things happen when a security scanner takes your code into their cloud. First, you are trusting their network security, their employee access controls, and their incident response. Second, you are producing analysis reports that live on their disks indefinitely, which becomes a problem if your customers sue you and that data ends up in discovery. Third, you are feeding their training data, whether or not they are running an AI model today.
None of these are theoretical. The 2021 Codecov breach took CI secrets out of thousands of repositories because a build plugin shipped credentials to a vendor by default. The 2024 Snowflake breach showed that one compromised vendor credential unlocks every customer's data at once. Cloud security tools concentrate risk. They do not reduce it.
The argument for a cloud scanner is convenience. "We do the heavy lifting for you." The honest version is that the vendor needs your code on their servers to bill you for compute and to train next year's product. If the heavy lifting actually had to happen on a remote server, none of the offline scanners (Bearer, Semgrep CE, Brakeman, Bandit) would work.
Vulkro runs on a laptop. The benchmark runs end to end from one command against pinned commits; the scored head-to-head covers 12 in-scope repositories (JavaScript, TypeScript, Python, Go) with 76 catalogued bugs, out of a 15-repo, 90-bug corpus. There is no heavy lifting that requires a data centre.
SECTION 02 // VERIFY IT YOURSELF
What we don't collect, and how to verify it.
Vulkro never collects your code, file names, paths, or findings. No error reports, no feature analytics, no "anonymous opt-in" anything. The daily entitlement check that keeps your login's lease fresh carries exactly six usage fields: product, install id, version, operating system, timestamp, and a scan counter. The other automatic call is a once-per-day update check, which you can turn off with VULKRO_NO_UPDATE_CHECK=1. Other network paths (the CVE database refresh, optional live secret validation, live probing, and webhooks) are explicit and off unless you ask for them. VULKRO_OFFLINE=1 hard-refuses all of them; pair it with a license file and the scanner runs with no network at all.
You don't have to trust this. The binary is statically linked. Run it under strace, dtrace, or your favourite sandbox and watch exactly what it does. The default update check only reaches out when the cache is older than 24 hours, and it soft-fails after a 2-second timeout.
VULKRO_OFFLINE=1 removes even that call. With the variable set, vulkro refuses every outbound network operation and returns an error rather than silently fall back to anything.
$ VULKRO_OFFLINE=1 vulkro scan .
[ok] offline mode enforced
[ok] CVE bundle: ~/.vulkro/cve-bundle/ (signed, verified)
[ok] no outbound network calls permittedSECTION 03 // HUMANS
Built and supported by humans.
The codebase is roughly 60,000 lines of Rust on tree-sitter. The CVE bundler is a separate Python pipeline. The detectors, the signing infrastructure, the docs, and the website are all maintained by the Vulkro team.
What that means in practice: when you email support@vulkro.com, a human reads it. Reply time is usually a day, sometimes faster. There is no Tier 1 routing through a partner support contractor. There is no chatbot. If an answer needs a deeper look, we will tell you, not stall you.
SECTION 04 // COMMITMENTS
What we commit to.
- The benchmark stays public. Methodology, labelled examples, scoring code. Re-run any time. If our catch rate or false-positive rate gets worse between releases, file an issue and we will fix it or document why. The detectors themselves are closed (that is the product); the proof that they work is not.
- Breaking changes get a deprecation window. A CLI flag, a config key, or a JSON field doesn't disappear without a release of warnings.
- Your scan content stays yours, ever. This is the one commitment we will not negotiate. The scanner never transmits code, file names, paths, or findings; the entitlement check is limited to six usage fields (product, install id, version, operating system, timestamp, and a scan counter) and there is no "anonymous opt-in" expansion on the roadmap.
- No surprise charges. There is no self-serve checkout: licenses are issued directly by our team, on terms you agree to explicitly. Nothing auto-bills you, and when a license or trial lapses the CLI prints a one-line note and asks you to renew through us; your reports, scan history, and configuration stay on your machine.
SECTION 05 // ROADMAP
And where we're going.
There is an enterprise path on the roadmap, with private rule packs, air-gapped license servers, on-premise CVE mirroring, and SSO. It is still a plan. The shape will be "a heavier license you renew yourself" not "a SaaS console", because nothing about the core product changes when a larger team buys it. If your team needs any of that today, email contact@vulkro.com and we'll figure out what works in the meantime. No upsell, no spam, just an honest conversation.
SECTION 06 // CONTACT
How to reach us.
Newsletter, for the weekly CVE + release digest: vulkro.substack.com
Substack Chat, for in-between threads and live questions: vulkro.substack.com/chat
Reddit, for public Q&A and scan-result discussion: reddit.com/r/vulkro
Bug reports, install help, "I think this finding is wrong": support@vulkro.com
Sales, custom quotes, air-gapped deployments: contact@vulkro.com
License transfers, invoices, refund questions: billing@vulkro.com
No web form. No AI. No chatbot. Email and the chat threads are the API.