Skip to main content

Static analysis for the AI-PR era.

AI assistants now write a real share of the code that lands in production. The diffs are bigger, the review attention per line is thinner, and the security bugs cluster in recognizable shapes: the endpoint that never got its auth middleware, the findById(req.params.id) with no ownership check, the User.create(req.body) with no allowlist, the taint flow whose sink looks safe in isolation because the source lives in a file the assistant generated three turns ago.

None of that is an argument against the assistant. It is an argument for a deterministic security layer that sits in the same loop, keeps up with the assistant's pace, and never sends your code or your prompt context to a vendor cloud. That is where Vulkro fits.

Secure AI-written code as it is written: vulkro guard

The strongest position in the loop is inside it. vulkro guard runs in your AI assistant's write loop via Claude Code, Cursor, and Windsurf hooks: every time the assistant writes a file, guard checks that file and feeds serious findings back so the assistant fixes the flaw before the file lands.

vulkro guard install --agent claude-code

That closes the loop before you even see the diff. Instead of the assistant writing an IDOR, you reviewing the PR, and someone catching it three days later, the assistant gets told "this handler has no ownership check" in the same turn and rewrites it. Findings at HIGH or CRITICAL block and regenerate; MEDIUM and below are reported without trapping the agent on a nit. Each check is a single-file scan with no network call and no token cost, which is what lets it sit in the edit loop.

The lifecycle, four positions

Vulkro's spine is the pre-deploy lifecycle. AI-written code gets a gate at each stage:

1. As-you-code: vulkro guard in the write loop. As above. The tightest position, catching the flaw before it lands rather than at review time.

2. On demand: Vulkro as an MCP tool in the editor. The assistant calls Vulkro over the standard MCP protocol. Add to your client config:

{
"mcpServers": {
"vulkro": {
"command": "vulkro",
"args": ["mcp", "serve"]
}
}
}

The model gets scan_project, scan_file, explain, list_rules, and get_findings tools. When you ask Claude Code to write a new endpoint, the same session can scan the diff for auth gaps and tainted inputs before you commit. The engine also plugs in as a skill for Claude Code, Cursor, and Codex. Either way the scan runs locally and only a short findings report reaches the model. The report is text about your code, not your code.

3. Pre-commit: the new-findings gate.

vulkro init --pre-commit

scaffolds a git hook that runs vulkro gate --base HEAD on staged files. The gate is fail-on-new-only: pre-existing debt never blocks a commit, only the finding the AI diff just introduced does.

4. PR / CI: the same gate against the base branch. vulkro gate --base origin/main fails the pipeline only on net-new findings, and vulkro scan --format gh-pr renders the report as a PR comment (... | gh pr comment -F -). SARIF output feeds GitHub code scanning if that is where your team lives.

What Vulkro catches that AI assistants regress on

Bug familyWhy assistants regressHow Vulkro catches it
Auth bypass on new endpointsThe model forgets the requireAuth middleware on the route it just addedFramework-aware route extraction plus per-endpoint auth data-flow analysis
IDOR / BOLAfindById(req.params.id) with no ownership check reads fine and runs fineObject-access analysis per route method
Mass-assignmentUser.create(req.body) with no allowlistTaint tracking into model-write sinks
SQL injection across filesThe model splits a query into helpers; sink in one file, source in anotherCross-file, interprocedural taint tracking
Insecure deserializationThe model reaches for pickle.loads / yaml.loadDangerous-sink detection with safe-variant awareness
Hardcoded secretsThe model regenerates an example API key into your codeSecret detection with entropy plus provider-format checks
Open redirectredirect(req.query.url) straight from user inputTaint tracking into redirect sinks
Prompt injection in your own MCP toolsThe model writes a tool that interpolates user data into a descriptionscan-mcp-server, 8 detector classes

The detection is measured, not asserted: on our published ground-truth corpus Vulkro scores 0.81 precision against 0.62 for Semgrep CE and 0.36 for Bearer, same repos, same scoring script. The corpus, the harness, and the scorecard are public, and the benchmark page shows how to regenerate every number with one command.

The assistant's inputs are a surface too

The code the assistant writes is only half the problem. The other half is what it pulls in: hallucinated package names, poisoned MCP tool descriptions, malicious skills. vulkro slopcheck gates AI-suggested dependency lists before install, and the free Vulkro Labs tools cover the rest of the agent surface. That story has its own page.

The architectural distinction vs AI code review

Cloud AI review tools (CodeRabbit, Greptile, GitHub Copilot Code Review) are good at conversational PR review and high-level bug spotting. They use cloud LLMs, and they are a different layer.

Vulkro is the offline static layer underneath. The two compose: AI review for the "is this code idiomatic" question, Vulkro for "does this code have a known security failure shape" with deterministic detection, the same verdict on every run. Many teams run both.

The difference that matters for AI-PR security: your prompt context often contains proprietary architecture details, customer data shapes, or unreleased product names. When the scanner runs on your machine, "that context never leaves" is a structural property, not a policy promise.

Install

curl -fsSL https://dist.vulkro.com/install.sh | bash

Deep analysis (endpoints plus cross-file taint) covers JS/TS, Python, and Go. The Free tier is permanent and keeps receiving current CVE data; Pro adds the deeper detector packs, compliance evidence, and the full set of output formats. Licenses are per term with no auto-renewal.

Read the manifesto for the "no cloud LLM in detection" decision. See the benchmark for reproducible numbers.