Skip to main content

Vulkro vs Semgrep

If you are choosing a security scanner for a codebase that AI assistants now write much of, two questions come before any feature list: where does your code go when the tool runs, and does the tool give the same answer twice. This page compares Vulkro and Semgrep on both, then on a published benchmark you can rerun.

Two things separate Vulkro from Semgrep CE, and they are the two things this page leads with:

  1. Your source code never leaves your machine. Vulkro is a single binary and every scan runs locally. No upload, no cloud step, ever; the only thing that crosses the wire is a minimal account entitlement check that never sees code or findings.
  2. It beats Semgrep CE on a published, reproducible benchmark. On our published corpus Vulkro found 2.9x more catalogued bugs than Semgrep CE (44 vs 15) at higher precision (0.81 vs 0.62), in less total scan time (34.4s vs 38.6s). The harness, the corpus, and the scoring code are all public, so you can re-run it yourself.

Semgrep is the most widely deployed static analysis tool in its space. It's well-engineered, has thousands of community rules, and runs in pre-commit hooks across half the ecosystem. The honest framing is that the two tools target different points in the build / privacy / accuracy trade-space. This page makes the distinction concrete.

At a glance

VulkroSemgrep CESemgrep AppSec Platform
License14-day trial on first sign-in; licenses issued directly by our teamFree (LGPL 2.1)SaaS, per-developer subscription
Runs whereYour machineYour machineYour machine OR Semgrep cloud
Source code uploadedNeverNot in CEWhen using cloud features (configurable)
Deep-analysis languagesJavaScript/TypeScript, Python, Go, and Java (Spring, new)Many languages, single-file scopeMany languages (Pro engine)
Cross-file analysisYesNo (single-file scope)Yes (Pro engine)
TelemetrySix usage fields: product, install id, version, operating system, timestamp, and a scan counter. Never code or findingsOpt-out anonymous usageYes, in cloud tier
Rule authoringYAML (regex or AST mode)YAML (code-like patterns)Same as CE + cloud-managed packs
Custom-rule reuseSemgrep YAML import shimNativeNative
CVE / SCA matchingLocal CVE bundle (OSV+NVD+KEV+EPSS)Separate semgrep supply-chain tierCloud-side
OWASP API Top 10 coverageAll 10 + LLM 01/06Community rules; coverage variesSame + curated packs

Benchmark numbers

Measured on our published corpus, July 2026: 15 deliberately vulnerable public codebases with 90 catalogued bugs, of which 76 sit in the languages the benchmarked release analyzes deeply (JS/TS, Python, Go). Scored at Vulkro's default high-confidence setting. Same machine, same pinned commits, same scoring for every tool.

VulkroSemgrep CE 1.136.0
Catalogued bugs found (of 76)4415
Precision (how few false alarms)0.810.62
Recall (how many real bugs found)0.580.20
F1 score (overall accuracy)0.680.30
Total scan time34.4s38.6s

One honesty note: in July 2026 we grew our own ground truth from 69 to 90 catalogued bugs and published the recall drop that came with it. The corpus is versioned and the numbers regenerate from one command.

$ bench/comparison/run.sh --tier1 --tools vulkro,semgrep  ·  scores: bench/comparison/scorecard-high.md

The harness (bench/comparison/) and the ground-truth corpus (bench/comparison/groundtruth/) are public, so the numbers above are not vendor claims: clone the corpus, run the same commands, and get the same figures. The locked numbers matching each release are published in the product changelog.

The architectural distinction

The split between Vulkro and Semgrep CE is where the analysis runs and what data leaves the machine:

  • Vulkro: detection engine + CVE bundle live on the same machine that holds the source. VULKRO_OFFLINE=1 enforces this at the process boundary (air-gapped machines pair it with a license file). The default network calls are vulkro update (signed bundle fetch from dist.vulkro.com) and a daily entitlement check that carries six usage fields (product, install id, version, operating system, timestamp, and a scan counter), never code.
  • Semgrep CE: same posture in default mode. Source stays local. The CE binary doesn't phone home for findings, only for opt-out anonymous usage telemetry.
  • Semgrep AppSec Platform: source can be uploaded to Semgrep's cloud for the cross-file Pro engine to run, the AI Assistant to triage, or the Supply Chain database to match against. Read Semgrep's terms before pointing the Pro engine at a repo with customer data.

The split between Vulkro and Semgrep AppSec Platform is a licensed engine with a public benchmark vs SaaS-managed detectors with vendor-published claims. Vulkro ships the benchmark harness (bench/comparison/) and the ground-truth corpus (bench/comparison/groundtruth/); anyone can reproduce the precision / recall numbers. Semgrep's curated detection rules are managed in the cloud and not externally verifiable to the same degree.

Where Semgrep wins

Concessions first, because they are real:

  • The rule ecosystem is much bigger. Thousands of community and registry rules against Vulkro's built-in detector set plus a strict YAML import shim. If your detection profile is dominated by language-specific conventions (Python null-check patterns, JS async-handler idioms), Semgrep's community packs have coverage Vulkro does not.
  • Custom rule authoring is its core strength. Semgrep's code-like pattern syntax is the best rule-writing experience in the category. Vulkro's custom rules are narrower (regex or AST mode).
  • More languages. Semgrep parses far more languages than Vulkro's deep-analysis set (JavaScript/TypeScript, Python, Go, and Java (Spring)).
  • It already runs everywhere. If your team has invested in Semgrep CI wiring and authored rules, that investment is a real switching cost.

When to pick Vulkro

  • Your data-handling policy or contract forbids source upload to any third party, including for "evaluation" or "optional cloud features" tiers.
  • You want CVE / SCA coverage in the same scan as SAST (one binary, one report, one CI step).
  • You need cross-file taint flow as a default (no separate Pro engine to enable).
  • You want the OWASP API Top 10 + LLM Top 10 (LLM01 / LLM06) out of the box.
  • You want a vendor on the hook without a per-developer seat count. Create an account and your first CLI sign-in starts a 14-day trial of the full product; Vulkro is licensed per seat, directly through our team, at hello@vulkro.com.

Migration: bring your Semgrep rules to Vulkro

vulkro rules import-semgrep ./semgrep-rules.yaml translates a strict subset of Semgrep YAML into Vulkro's CustomRule format. Field-level translation:

  • id, message, languages, fix → direct
  • severity: INFO → low, WARNING → medium, ERROR → high
  • metadata.cwe → vulkro cwe
  • pattern: best-effort regex translation ($IDENT.+?, ....*)

Compound shapes (pattern-either, pattern-not, patterns: AND-composition) are skipped with a per-rule stderr warning naming the unsupported feature. The full supported grammar is documented in the product changelog.

Try both side by side

# In your project root:
vulkro scan . --format sarif > vulkro.sarif
semgrep --config p/owasp-top-ten --sarif --output semgrep.sarif

# Diff in your favourite SARIF viewer.

Both tools emit SARIF; GitHub Code Scanning ingests either format. The split-and-compare workflow is the fastest way to see whether Vulkro's defaults match your codebase before you commit to a license.

See also: Vulkro vs Bearer, Vulkro vs Snyk, Vulkro vs Trivy, Compare the scanners, Safety, CVE bundle changelog.