The best offline, airgapped SAST scanner

If your requirement is "static analysis that runs with zero network, on a machine that may never touch the internet, and never sends a byte of source code anywhere," you have landed on the right page. That is exactly what Vulkro is built for.

The offline security scanner that beats Semgrep CE and Bearer on a published, reproducible benchmark. Your source code never leaves your machine.

The empty quadrant: paid, offline, single-binary​

Plot the SAST market on two axes (does it run fully offline, and is it a paid product with a vendor on the hook) and one quadrant is nearly empty:

The free offline tools exist and are good, but you get community support and no benchmark you can hold a vendor to. The paid tools are almost all SaaS: to use them you connect a repo, upload code snippets, and accept telemetry. Vulkro sits in the empty quadrant: a paid, supported product that runs entirely on your machine as a single static binary, with a published benchmark you can reproduce.

What "offline" means here, precisely​

• No source upload, ever. The detection engine runs locally. There is no "optional cloud feature" tier that quietly uploads code for deeper analysis.
• No telemetry. No usage pings, no crash reports, no feature analytics. This is not a config toggle; it is how the binary is built.
• No account. You do not log in to scan. The Pro license is a signed file bound to your machine, verified locally.
• Enforceable air-gap. Set VULKRO_OFFLINE=1 and the process makes zero network calls at the process boundary. The only network call Vulkro ever makes by default is the signed CVE bundle fetch, and that is opt-out. Deliver bundles by USB, mirror, or internal feed for a truly disconnected machine.

See the air-gap install guide for the disconnected-machine workflow.

What it actually scans​

One offline binary covers the surface that usually takes three or four tools:

• Application SAST across Node / TypeScript, Python, and Go: broken access control, injection, SSRF, IDOR, mass-assignment, auth bypass, found with cross-file taint flow.
• Secrets, including in your Git history.
• Infrastructure-as-code and container misconfiguration.
• Dependency CVEs (SCA) from a local bundle (OSV + NVD + KEV + EPSS) in the same scan.
• The OWASP API Top 10 and LLM Top 10 (LLM01 / LLM06).

The receipts: a benchmark you can reproduce​

We do not ask you to trust a marketing claim. Vulkro publishes the benchmark harness, the ground-truth corpus, and the scoring code. On the public corpus (10 deliberately-vulnerable codebases, 55 catalogued bugs, scored at the default high-confidence setting):

Clone the corpus, run the same commands, get the same numbers. The benchmark methodology walks through it end to end.

Why a closed-source product still publishes its benchmark​

Vulkro's detectors are closed source: the detection engine is the licensed product, and that is what you pay for. What is public is the thing that matters for trust: the benchmark. The honest positioning is "publish the benchmark, ship reproducible results," not "read our detector code." You can verify the catch rate and the false-positive rate yourself without us handing over the rule engine.

Pricing built for offline buyers​

• Free is permanent: the core scan, secrets, SCA, and CVE bundle updates, no card, no expiry.
• Pro is a per-term license with no auto-renewal: $24 for a month or $199 for a year. When the term lapses the CLI keeps working at the Free tier and the CVE bundle keeps updating; only the Pro detector depth and the compliance and output formats pause until you buy again.
• Team / Org ($599/yr) covers every machine in one org under one flat license, and Lifetime ($349 one-time) is a perpetual major-version license.

See the full pricing page and why we never auto-renew.

Get started​

curl -fsSL https://dist.vulkro.com/install.sh | sh
vulkro scan .

Then read the install guide for the air-gapped and offline-bundle variants.

See also: Vulkro vs Semgrep, Vulkro vs Bearer, Vulkro vs Trivy, Vulkro vs Snyk, Air-gap install, Benchmark.