Skip to main content

Your HIPAA, fintech, or legal code never leaves your machine.

Teams in regulated industries now merge AI-written code into the systems a regulator, an auditor, or a customer security review will examine, and none of them care who or what wrote the line. What they ask for is evidence that the code handling regulated data was reviewed for security before release. Vulkro produces that evidence on your machine, without your codebase or your findings ever leaving it.

Healthcare, financial services, legal-tech, and any team handling regulated data has a structural problem with cloud-first SAST. Uploading source code (which by definition references your data models, your access-control logic, and your customer-specific business rules) to a vendor cloud is a data-handling event that your security team, your auditors, and your customers' DPAs will all flag.

The current options are usually:

  • Pay enterprise prices for SaaS scanners with a "broker proxy" that mitigates some of the upload while keeping the SaaS control plane.
  • Self-host SonarQube, Semgrep Cloud, or CodeQL with all the operational cost (infrastructure, upgrades, on-call).
  • Skip SAST and hope the next pen test catches it.

Vulkro is the fourth option: a single static binary that runs on your laptop or your CI runner, never phones home, and produces the compliance evidence your auditor wants to see.

What "offline" means here

PropertyVulkroTypical cloud SAST
Source code uploadedNeverYes (some offer encrypted retention)
TelemetrySix usage fields, never code or findingsMandatory, account-scoped
Account requiredYes, but it never sees your codeYes
LLM in the scannerNoneIncreasingly common
Network at scan timeNot required (scan is local; air-gap supported via license file)Required
VULKRO_OFFLINE=1 enforces zero netYesn/a
Air-gapped CVE bundle deliveryAvailableLimited
Vendor SOC 2 + DPA neededNo (source code never shared)Yes

The detection engine and the CVE bundle live in the binary. No proxy, no broker, no encrypted tunnel to "scan in the cloud securely." There is nothing in the cloud to scan against.

Compliance mapping and signed evidence packs

Two levels here, both useful at audit time. The 14-day trial and the issued license cover both.

vulkro compliance --profile <name> maps your scan findings to the controls of a published framework. Supported profiles (run vulkro compliance --help for the live list):

  • soc2, iso27001, hipaa (Annex A / Security Rule / Trust Service Criteria)
  • pci (PCI DSS Requirements 6 and 11)
  • nist-ssdf, nist-800-53, stateramp
  • gdpr (Article 30 Record-of-Processing alignment)
  • owasp-asvs, cis, cwe-top25

The output is a control-by-control breakdown showing which findings touch which control. Useful pre-audit to know where the gaps are.

vulkro compliance-pack --framework <name> renders a signed evidence pack for SOC 2, ISO 27001, or HIPAA. The pack is the artefact you hand to an auditor: control-by-control, with findings cross-referenced, signed so the auditor can verify the report was generated against a specific commit.

Separate: GDPR Record of Processing. vulkro scan --format ropa-html (and --format ropa-md) renders an Article 30 RoPA template populated from the scan's data-flow lineage. Sits alongside the compliance mapping rather than under it.

Air-gapped deployments

For classified, defense, or fully air-gapped environments:

  • The binary is reproducible-builds-friendly (signed releases, hash-pinnable).
  • VULKRO_OFFLINE=1 refuses any network operation, including CVE bundle update checks.
  • CVE bundles ship as signed .vkbundle files you can sneakernet in on a fresh schedule.
  • The Web UI desktop console runs entirely on localhost; no outbound connection.

See the air-gap docs for the full deployment recipe.

Industries we hear from

Healthcare and HIPAA covered entities. EHR vendors, telehealth platforms, billing software, HIPAA-business-associate SaaS. The audit conversation is always "where does the PHI flow." Vulkro's PII and PHI detection plus the data-flow lineage feature gives you that map without uploading the code to a vendor cloud.

Fintech and PCI DSS merchants. Cardholder data flow scoping, crypto weakness audit, hardcoded secret detection, callout-credential review. The PCI DSS 4.0 mapping ships in the scanner.

Legal-tech and attorney-client confidentiality. Doc-review platforms, matter management, e-discovery, litigation analytics. The same property that helps healthcare (no upload) is even more pointed here, where attorney-client privilege is at stake.

Defense and classified environments. Single binary, reproducible, air-gappable (a license file replaces the online account check, and nothing about your code ever leaves the machine). See the air-gap docs.

Salesforce in regulated industries. Healthcare on Health Cloud, fintech on Financial Services Cloud, patient-segment campaigns in Marketing Cloud, regulated data bridged into Postgres via Heroku Connect, and Wave dashboards exposing PII via CRM Analytics are all covered by the separate Vulkro for Salesforce product (the vulkro-sf binary), not the general vulkro scanner. See the Vulkro for Salesforce docs.

Honest scope

Vulkro is a static analyzer, not a certification and not an auditor. The compliance output maps code-level findings to published control frameworks; it does not attest organizational, physical, or process controls, and a clean scan does not make you compliant on its own. It is also not a pentest or a WAF: it reads code, it does not probe or protect running systems.

Licensing

The scanner requires an account, and a 14-day trial of the full product (including the compliance packs: HIPAA, PCI DSS, SOC 2, ISO 27001, NIST 800-53, GDPR RoPA) starts on your first login. Vulkro is licensed per seat, directly through our team, including multi-machine and air-gapped deployments: hello@vulkro.com.

Read the manifesto for the "we never see your code" decision. See the benchmark for reproducible detection numbers.