Skip to main content

Built by a developer, for developers

Find vulnerabilities without uploading your code.

A command-line security scanner that runs on your laptop. Catches broken access, leaked credentials, vulnerable dependencies, and risky infrastructure - locally, in seconds, with no account

  • Code
  • Secrets
  • Dependencies
  • Supply chain
  • MCP / agents
  • Containers
  • IaC
  • Compliance
  • Privacy
  • Runtime

Four things we picked, on purpose

Offline. Honest. Fast. Auditable.

Every SAST tool makes tradeoffs the vendor decided for you. Here are ours, on the front page, so you can decide before you install.

01

Offline

Your code stays on your machine. No cloud upload, no telemetry, no LLM. One signed CVE bundle is the only outbound call, and VULKRO_OFFLINE=1 refuses even that.

02

Honest

Public benchmark, reproducible scoring, documented misses. We tell you which detector packs ship off by default because they are noisy. File an issue on a misfire and one developer reads it.

03

Fast

104 seconds to scan a 13-repo benchmark corpus on a laptop. Seconds on a PR diff with vulkro scan --since main. Rust on tree-sitter, no JVM warmup.

04

Auditable

Findings map to nine frameworks: ASVS, OWASP Top 10, PCI-DSS 4.0, SOC 2, HIPAA, GDPR Art. 30, NIST SSDF, ISO 27001, CIS v8. Outputs in SARIF, JUnit, CycloneDX, SPDX, CSV, JSON, HTML, PDF.

How it works

Find it. Then fix it - you or your agent.

  1. 01
    You

    Your code

    Local files, any supported language. Nothing leaves your machine.

  2. 02
    You or your AI agent

    Run the scan

    You type vulkro scan in your terminal, or Claude / Cursor / Codex runs it for you via the MCP server. Same scanner, same results, same speed.

  3. 03
    Vulkro

    Detection engine

    Taint flow, reachability, CVE matching, 120+ rules in Rust. Offline, deterministic, no JVM warmup.

  4. 04
    Vulkro

    Findings

    Web UI, SARIF, JUnit, GitHub PR comment, executive HTML, PDF, terminal table, IDE diagnostics. Pick the format your reader speaks.

  5. 05
    You or your AI agent

    Fix it

    You read the finding and patch it yourself, or your AI agent reads the structured output and writes the patch for you. Re-run the scan to confirm. Same loop, same scanner.

What it covers

Eight categories of risk. One scan.

One command checks all eight in a single pass. Results go to the systems your team already uses: GitHub PR comments, Slack, Jira, SIEM, and your auditor, in the formats they already understand.

Application bugs

The bug classes responsible for most real-world breaches.

  • Authentication bypass and broken access control
  • SQL injection, command injection, cross-site scripting
  • GraphQL / gRPC / WebSocket vulnerabilities
  • Weak or broken cryptography
Leaked credentials

Hardcoded passwords, API keys, and tokens - including in git history.

  • In source files, config, .env, infrastructure code
  • In your last 500 commits of git history
  • Recognises AWS, GitHub, Stripe, Slack, OpenAI, more
  • Optional validation: is this leaked key still active?
Vulnerable dependencies

Known CVEs in the third-party libraries you ship with.

  • npm, PyPI, Cargo, Go modules, Maven
  • Flags actively-exploited bugs first (CISA KEV)
  • Distinguishes reachable code paths from dead ones
  • Updates ship as signed bundles - no SaaS calls
Container images

CVE scan for the same dependencies inside your Docker images.

  • Works against image references or saved tarballs
  • No Docker daemon required
  • Same prioritisation as application dependencies
  • Suitable for offline / air-gapped CI
Infrastructure misconfigurations

Cloud and Kubernetes settings that quietly create risk.

  • Public databases, overly-permissive IAM, open buckets
  • Kubernetes pods running as root, no resource limits
  • Missing TLS, missing security headers
  • Terraform, Helm, Kubernetes manifests, Compose, nginx, Apache
Compliance evidence

Per-control pass/fail across the frameworks auditors ask about.

  • SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS 4.0
  • NIST SSDF, CIS v8, OWASP ASVS / Top 10
  • Every control links to the underlying code finding
  • Generates evidence packs for your auditor
Personal data flows

Where customer PII and PHI travel through your code.

  • Email, phone, SSN, date of birth, IP, address
  • Healthcare: MRN, diagnosis codes, prescriptions
  • Flags PII in logs and URLs (compliance violations)
  • Generates GDPR Article 30 records automatically
Live attack-surface probes

Optional: confirm static findings against a running service.

  • Authentication bypass and CORS misconfiguration
  • IDOR (one user reads another user's data)
  • JWT, NoSQL, prototype-pollution attack patterns
  • HTTP request smuggling and race conditions

vulkro serve

Beyond the CLI: a full security console.

How does it compare?

Catches 76% of catalogued bugs. Semgrep CE catches 22%.

Also building on Salesforce?

Vulkro forSalesforce: a sibling product, not a side feature.

Built on the same scanner, tuned for Salesforce teams. One offline scan covers your Apex code and the org around it (security hardening, access, third-party Connected Apps, and Agentforce) and produces an AppExchange Security Review readiness report. Connect a live org through your own Salesforce login to check its posture too: nothing is uploaded and the access token never leaves your machine.

See Vulkro for SalesforceRead the methodology
  • 01

    Code

    Apex SOQL injection, CRUD / FLS, LWC / Aura DOM XSS, Visualforce, Flow system-context DML

  • 02

    Org posture

    SecuritySettings hardening, sharing rules, login IP ranges, password policy

  • 03

    Identity

    Profile and Permission-set over-privilege, ghost admins, SAML SSO signing

  • 04

    Third-party

    Connected App OAuth posture (Drift / Gainsight token-sprawl class)

  • 05

    Agentforce

    ForcedLeak (CVSS 9.4) class-bypass detector for GenAiFunction Apex actions

Community

Stay in sync.

Three ways to follow what we ship and what we are working on. Pick whichever fits how you already work.

Substack

Subscribe once, get two things: the weekly CVE + release digest in your inbox, and access to the live chat where in-between things land (detector ideas, weird findings, release heads-ups).

Subscribe + join chat

Reddit

Public community at r/vulkro. Bug reports, scan-result war stories, CVE chat, AppSec questions. No email required, indexed by Google so threads stay useful.

Open r/vulkro

Email

Bug reports, install help, billing questions. One human reads every message. No web form, no chatbot, no AI summariser.

Email support

Run it on your code. See what's there.

Install in 60 seconds. 14 days of full Pro, then it drops to Free and keeps running. No card. Reports stay yours either way.

Install VulkroTalk to a human