SOC 2

Profile name: soc2

Vulkro covers the application-security-relevant Trust Services Criteria:

CC6 - Logical and Physical Access Controls (subset relevant to apps)
CC7 - System Operations (subset relevant to apps)

Other TSCs (CC1 control environment, CC3 risk assessment, CC9 risk mitigation, A1 availability, etc.) require organisational evidence that falls outside a static scanner's reach.

Run it

vulkro compliance . --profile soc2

High-traffic mappings

Vulkro finding category	SOC 2
`BrokenAuthentication`	CC6.1, CC6.6
`BrokenObjectLevelAuth`	CC6.1, CC6.3
`BrokenFunctionLevelAuth`	CC6.3
`Hardcoded secret`	CC6.1
`SecurityMisconfiguration`	CC6.6, CC7.1
`Vulnerable dependency`	CC7.1
`Insecure logging`	CC7.2
`XSS / Injection`	CC6.6

Audit-trail expectations

SOC 2 reviewers will ask "how do you know this was true on the date of the report?". Vulkro's --save flag persists every scan to ~/.vulkro/scans.db with timestamps and signed bundle versions, which gives you a defensible answer - pair vulkro scan --save with a daily cron job or a CI workflow.

Run it​

High-traffic mappings​

Audit-trail expectations​

Related​

Run it

High-traffic mappings

Audit-trail expectations

Related