Static analysis for the AI-PR era.
AI assistants now write a real share of the code that lands in
production. The diffs are bigger, the review attention per line is
thinner, and the security bugs cluster in recognizable shapes:
the endpoint that never got its auth middleware, the
findById(req.params.id) with no ownership check, the
User.create(req.body) with no allowlist, the taint flow whose
sink looks safe in isolation because the source lives in a file
the assistant generated three turns ago.
None of that is an argument against the assistant. It is an argument for a deterministic security layer that sits in the same loop, keeps up with the assistant's pace, and never sends your code or your prompt context to a vendor cloud. That is where Vulkro fits.
Secure AI-written code as it is written: vulkro guard
The strongest position in the loop is inside it. vulkro guard
runs in your AI assistant's write loop via Claude Code,
Cursor, and Windsurf hooks: every time the assistant writes a
file, guard checks that file and feeds serious findings back so
the assistant fixes the flaw before the file lands.
vulkro guard install --agent claude-code
That closes the loop before you even see the diff. Instead of the assistant writing an IDOR, you reviewing the PR, and someone catching it three days later, the assistant gets told "this handler has no ownership check" in the same turn and rewrites it. Findings at HIGH or CRITICAL block and regenerate; MEDIUM and below are reported without trapping the agent on a nit. Each check is a single-file scan with no network call and no token cost, which is what lets it sit in the edit loop.
The lifecycle, four positions
Vulkro's spine is the pre-deploy lifecycle. AI-written code gets a gate at each stage:
1. As-you-code: vulkro guard in the write loop. As above.
The tightest position, catching the flaw before it lands rather
than at review time.
2. On demand: Vulkro as an MCP tool in the editor. The assistant calls Vulkro over the standard MCP protocol. Add to your client config:
{
"mcpServers": {
"vulkro": {
"command": "vulkro",
"args": ["mcp", "serve"]
}
}
}
The model gets scan_project, scan_file, explain,
list_rules, and get_findings tools. When you ask Claude Code
to write a new endpoint, the same session can scan the diff for
auth gaps and tainted inputs before you commit. The engine also
plugs in as a skill for Claude Code, Cursor, and Codex. Either
way the scan runs locally and only a short findings report
reaches the model. The report is text about your code, not your
code.
3. Pre-commit: the new-findings gate.
vulkro init --pre-commit
scaffolds a git hook that runs vulkro gate --base HEAD on
staged files. The gate is fail-on-new-only: pre-existing debt
never blocks a commit, only the finding the AI diff just
introduced does.
4. PR / CI: the same gate against the base branch.
vulkro gate --base origin/main fails the pipeline only on
net-new findings, and vulkro scan --format gh-pr renders the
report as a PR comment (... | gh pr comment -F -). SARIF output
feeds GitHub code scanning if that is where your team lives.
What Vulkro catches that AI assistants regress on
| Bug family | Why assistants regress | How Vulkro catches it |
|---|---|---|
| Auth bypass on new endpoints | The model forgets the requireAuth middleware on the route it just added | Framework-aware route extraction plus per-endpoint auth data-flow analysis |
| IDOR / BOLA | findById(req.params.id) with no ownership check reads fine and runs fine | Object-access analysis per route method |
| Mass-assignment | User.create(req.body) with no allowlist | Taint tracking into model-write sinks |
| SQL injection across files | The model splits a query into helpers; sink in one file, source in another | Cross-file, interprocedural taint tracking |
| Insecure deserialization | The model reaches for pickle.loads / yaml.load | Dangerous-sink detection with safe-variant awareness |
| Hardcoded secrets | The model regenerates an example API key into your code | Secret detection with entropy plus provider-format checks |
| Open redirect | redirect(req.query.url) straight from user input | Taint tracking into redirect sinks |
| Prompt injection in your own MCP tools | The model writes a tool that interpolates user data into a description | scan-mcp-server, 8 detector classes |
The detection is measured, not asserted: on our published ground-truth corpus Vulkro scores 0.81 precision against 0.62 for Semgrep CE and 0.36 for Bearer, same repos, same scoring script. The corpus, the harness, and the scorecard are public, and the benchmark page shows how to regenerate every number with one command.
The assistant's inputs are a surface too
The code the assistant writes is only half the problem. The other
half is what it pulls in: hallucinated package names, poisoned MCP
tool descriptions, malicious skills. vulkro slopcheck gates
AI-suggested dependency lists before install, and the free
Vulkro Labs tools cover the rest of the agent surface.
That story has its own page.
The architectural distinction vs AI code review
Cloud AI review tools (CodeRabbit, Greptile, GitHub Copilot Code Review) are good at conversational PR review and high-level bug spotting. They use cloud LLMs, and they are a different layer.
Vulkro is the offline static layer underneath. The two compose: AI review for the "is this code idiomatic" question, Vulkro for "does this code have a known security failure shape" with deterministic detection, the same verdict on every run. Many teams run both.
The difference that matters for AI-PR security: your prompt context often contains proprietary architecture details, customer data shapes, or unreleased product names. When the scanner runs on your machine, "that context never leaves" is a structural property, not a policy promise.
Install
curl -fsSL https://dist.vulkro.com/install.sh | bash
Deep analysis (endpoints plus cross-file taint) covers JS/TS, Python, and Go. The Free tier is permanent and keeps receiving current CVE data; Pro adds the deeper detector packs, compliance evidence, and the full set of output formats. Licenses are per term with no auto-renewal.
Read the manifesto for the "no cloud LLM in detection" decision. See the benchmark for reproducible numbers.