vulkro prove
Turn a static finding into a runnable proof. vulkro prove scans the
project, then for each eligible finding EMITS a test file a developer can run
to confirm the finding is a true positive.
Vulkro only generates the harness text. It never compiles or executes anything. You run the emitted file in your own toolchain, against your own environment.
Usage
vulkro prove [PATH] [FLAGS]
PATH is the project root and defaults to the current directory.
What gets a harness
prove keeps only the categories where a runnable proof is meaningful and
skips the rest with a reason, so nothing is dropped silently. The provable
categories are:
- SSRF
- prompt injection
- broken authorization (the broken-object-level, broken-function-level, and broken-object-property authorization categories)
- SQL / SOQL / NoSQL / command injection
Config smells, inventory findings, and code-quality findings have no runnable proof shape and are listed under the skipped set instead of dropped.
Languages
The language is inferred per finding from the file extension, and the matching emitter renders the harness:
| Language | Harness |
|---|---|
| JavaScript / TypeScript | A property-based fast-check test plus a concrete proof-of-concept that walks the entry -> sink path. |
| Python | A Hypothesis property test driven by pytest. |
| Apex | A generated @isTest class. Runnable only inside a Salesforce org (Test.startTest / Test.stopTest). |
A finding in a language with no emitter is skipped with a reason.
The harnesses are generated from real finding data: the taint source label, the sink line, and the endpoint method / path from the scan. Nothing is hardcoded per fixture.
Flags
| Flag | Description | Default |
|---|---|---|
--format, -f <MODE> | stdout prints the harness sources to the terminal. emit writes one file per finding under --out. | stdout |
--out <DIR> | Directory to write harness files into when --format emit. Created if missing. Ignored for stdout. | .vulkro-proofs |
--no-cache | Bypass the per-file extraction cache (~/.vulkro/scans.db). | false |
--force-app | Bypass the framework self-scan heuristic (see discover --force-app). | false |
--force-all-rules | Bypass the posture-based rule-applicability gate (see discover --force-all-rules). | false |
Each emitted harness carries a one-line run hint telling the developer how to run that specific file, and echoes the source finding id so the emitted file can be correlated back to the scan.
Exit codes
| Code | Meaning |
|---|---|
0 | No harness emitted (no eligible findings). |
1 | At least one harness emitted. |
2 | Error: bad argument, IO failure, or an internal failure. |
Examples
# Print harness sources for every provable finding in the current project.
vulkro prove .
# Write one runnable file per finding into ./proofs.
vulkro prove . --format emit --out proofs
Related
vulkro scan- the full pipeline that produces the findingsproveproves.vulkro probe- active DAST that confirms findings against a running app, rather than emitting a harness for you to run.- Output formats - the
exploitabilityandreachability_verdictfields that help you pick which findings to prove first.