Skip to main content

vulkro prove

Turn a static finding into a runnable proof. vulkro prove scans the project, then for each eligible finding EMITS a test file a developer can run to confirm the finding is a true positive.

Vulkro only generates the harness text. It never compiles or executes anything. You run the emitted file in your own toolchain, against your own environment.

Usage

vulkro prove [PATH] [FLAGS]

PATH is the project root and defaults to the current directory.

What gets a harness

prove keeps only the categories where a runnable proof is meaningful and skips the rest with a reason, so nothing is dropped silently. The provable categories are:

  • SSRF
  • prompt injection
  • broken authorization (the broken-object-level, broken-function-level, and broken-object-property authorization categories)
  • SQL / SOQL / NoSQL / command injection

Config smells, inventory findings, and code-quality findings have no runnable proof shape and are listed under the skipped set instead of dropped.

Languages

The language is inferred per finding from the file extension, and the matching emitter renders the harness:

LanguageHarness
JavaScript / TypeScriptA property-based fast-check test plus a concrete proof-of-concept that walks the entry -> sink path.
PythonA Hypothesis property test driven by pytest.
ApexA generated @isTest class. Runnable only inside a Salesforce org (Test.startTest / Test.stopTest).

A finding in a language with no emitter is skipped with a reason.

The harnesses are generated from real finding data: the taint source label, the sink line, and the endpoint method / path from the scan. Nothing is hardcoded per fixture.

Flags

FlagDescriptionDefault
--format, -f <MODE>stdout prints the harness sources to the terminal. emit writes one file per finding under --out.stdout
--out <DIR>Directory to write harness files into when --format emit. Created if missing. Ignored for stdout..vulkro-proofs
--no-cacheBypass the per-file extraction cache (~/.vulkro/scans.db).false
--force-appBypass the framework self-scan heuristic (see discover --force-app).false
--force-all-rulesBypass the posture-based rule-applicability gate (see discover --force-all-rules).false

Each emitted harness carries a one-line run hint telling the developer how to run that specific file, and echoes the source finding id so the emitted file can be correlated back to the scan.

Exit codes

CodeMeaning
0No harness emitted (no eligible findings).
1At least one harness emitted.
2Error: bad argument, IO failure, or an internal failure.

Examples

# Print harness sources for every provable finding in the current project.
vulkro prove .

# Write one runnable file per finding into ./proofs.
vulkro prove . --format emit --out proofs
  • vulkro scan - the full pipeline that produces the findings prove proves.
  • vulkro probe - active DAST that confirms findings against a running app, rather than emitting a harness for you to run.
  • Output formats - the exploitability and reachability_verdict fields that help you pick which findings to prove first.