Supported languages and frameworks
Vulkro understands the listed languages and frameworks below at a first-class level: it extracts endpoints, builds the route table, maps findings to OWASP API Top 10 categories, and (for the dataflow-taint languages: JavaScript, TypeScript, Python, and Go) applies framework-aware taint sources / sinks. The table below shows exactly which capability applies to which language.
For anything not on this list, Vulkro still runs the language-agnostic passes (secrets, IaC, container scanning), but endpoint discovery, dependency-CVE matching, and taint are limited or unavailable.
If your stack is missing, email [email protected] with the framework name and a small example repo and we add coverage based on real demand.
Languages
| Language | Endpoint discovery | Taint analysis | Secrets | Dep CVE |
|---|---|---|---|---|
| Python | Yes | Yes (dataflow) | Yes | Yes (PyPI) |
| JavaScript | Yes | Yes (dataflow) | Yes | Yes (npm) |
| TypeScript | Yes | Yes (dataflow) | Yes | Yes (npm) |
| Go | Yes | Yes (dataflow) | Yes | Yes (go.mod) |
¹ Dependency-CVE matching parses five ecosystems: npm (package.json),
PyPI (requirements*.txt, Pipfile, pyproject.toml), Go (go.mod),
Cargo (Cargo.toml + Cargo.lock, OSV crates.io), and Maven
(pom.xml, OSV Maven). Cargo and Maven are dependency-CVE only - they
broaden supply-chain coverage but do not add Rust or Java source (taint)
analysis, which is why those rows are absent from the language table above.
Gradle (build.gradle), RubyGems, and NuGet manifests are not yet parsed.
Go, Cargo, and Maven findings are not in the reachability call-shape set, so
they are emitted without a [reachable] / [unreachable] tag. Secrets, IaC,
and container scanning run on every repo.
Ruby, Java/Kotlin, C#, and PHP were removed from the general scanner: the deep tier is JavaScript, TypeScript, Python, and Go. Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce, and metadata) is the separate Vulkro for Salesforce product, not this scanner. A Ruby/Java/C#/PHP repo still gets the language-agnostic passes (secrets, dependency CVEs where the manifest matches, IaC, container scanning).
Secrets scanning (vulkro scan --scope src) and infrastructure
misconfiguration checks work on any text-based file, regardless of
language.
Web frameworks
Python
- FastAPI
- Flask
- Django
- Django REST Framework (DRF)
- Django Ninja
- Starlette
- aiohttp
- Tornado
- Litestar
JavaScript / TypeScript
- Express
- Fastify
- NestJS
- Next.js (App Router and Pages Router)
- Hono
- Koa
- Hapi
- Elysia
- AdonisJS
- tRPC
Go
net/http- Gin
- Echo
- Chi
- gorilla/mux
- Fiber
Salesforce
Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce,
and metadata) is covered by the separate
Vulkro for Salesforce product (the vulkro-sf binary), not by
this scanner. See the
Vulkro for Salesforce docs.
Cross-cutting
- GraphQL (Apollo, graphql-yoga, Strawberry, graphene)
- gRPC
- WebSocket (ws, Socket.IO, Starlette WebSockets)
- React (client-side surface for XSS and DOM-sink analysis)
- Angular (same)
Package ecosystems for dependency CVE matching
| Ecosystem | Manifests parsed | Resolved version from | Status |
|---|---|---|---|
| npm | package.json | package-lock.json | Parsed |
| PyPI | requirements*.txt, Pipfile, pyproject.toml | poetry.lock, Pipfile.lock | Parsed |
| Go modules | go.mod | go.mod (MVS) | Parsed |
| crates.io | Cargo.toml | Cargo.lock (manifest dir or workspace root) | Parsed |
| Maven | pom.xml (<dependencies>) | <version> / <properties> (no parent-POM / BOM) | Parsed |
| Gradle | build.gradle, build.gradle.kts | - | Not yet |
| RubyGems | Gemfile, Gemfile.lock | - | Not yet |
| Packagist | composer.json, composer.lock | - | Not yet |
| NuGet | *.csproj, packages.config | - | Not yet |
The live OSV lookup covers every Parsed ecosystem. Fully offline
(VULKRO_OFFLINE=1) matching additionally needs that ecosystem's file in the
local CVE bundle; the default bundle ships npm + PyPI (build a wider one with
the bundler's --ecosystems flag).
Linux distro packages (container scanning)
For vulkro container against Docker images:
- Alpine
- Debian
- Ubuntu
- Rocky Linux
Distro coverage is opt-in because the per-distro CVE feed is large.
Enable it with the container ecosystem flag on vulkro update.
Infrastructure-as-code
Vulkro statically analyses these formats for misconfiguration:
- Terraform (
*.tf) - Kubernetes manifests (
*.yaml) - Helm charts (
values.yaml, templates) - Docker Compose (
docker-compose.yml,compose.yaml) - Dockerfiles
- nginx, Apache (
nginx.conf,*.conf)
What "not yet supported" means in practice
If your stack uses a language or framework that is not on the lists above:
- Endpoint discovery will not enumerate your routes automatically.
- Taint analysis will fall back to generic sources / sinks and may miss framework-specific patterns.
- Reachability gating will be less precise: findings tagged as "reachable" are conservatively over-reported rather than missed.
- Secrets, dependency CVE, IaC, and container scans are unaffected and continue to work.
The honest read: Vulkro is most accurate on the stacks listed here. We add new frameworks every release based on what paying customers ship.