Skip to main content

Supported languages and frameworks

Vulkro understands the listed languages and frameworks below at a first-class level: it extracts endpoints, builds the route table, maps findings to OWASP API Top 10 categories, and (for the dataflow-taint languages: JavaScript, TypeScript, Python, and Go) applies framework-aware taint sources / sinks. The table below shows exactly which capability applies to which language.

For anything not on this list, Vulkro still runs the language-agnostic passes (secrets, IaC, container scanning), but endpoint discovery, dependency-CVE matching, and taint are limited or unavailable.

If your stack is missing, email [email protected] with the framework name and a small example repo and we add coverage based on real demand.

Languages

LanguageEndpoint discoveryTaint analysisSecretsDep CVE
PythonYesYes (dataflow)YesYes (PyPI)
JavaScriptYesYes (dataflow)YesYes (npm)
TypeScriptYesYes (dataflow)YesYes (npm)
GoYesYes (dataflow)YesYes (go.mod)

¹ Dependency-CVE matching parses five ecosystems: npm (package.json), PyPI (requirements*.txt, Pipfile, pyproject.toml), Go (go.mod), Cargo (Cargo.toml + Cargo.lock, OSV crates.io), and Maven (pom.xml, OSV Maven). Cargo and Maven are dependency-CVE only - they broaden supply-chain coverage but do not add Rust or Java source (taint) analysis, which is why those rows are absent from the language table above. Gradle (build.gradle), RubyGems, and NuGet manifests are not yet parsed. Go, Cargo, and Maven findings are not in the reachability call-shape set, so they are emitted without a [reachable] / [unreachable] tag. Secrets, IaC, and container scanning run on every repo.

Ruby, Java/Kotlin, C#, and PHP were removed from the general scanner: the deep tier is JavaScript, TypeScript, Python, and Go. Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce, and metadata) is the separate Vulkro for Salesforce product, not this scanner. A Ruby/Java/C#/PHP repo still gets the language-agnostic passes (secrets, dependency CVEs where the manifest matches, IaC, container scanning).

Secrets scanning (vulkro scan --scope src) and infrastructure misconfiguration checks work on any text-based file, regardless of language.

Web frameworks

Python

  • FastAPI
  • Flask
  • Django
  • Django REST Framework (DRF)
  • Django Ninja
  • Starlette
  • aiohttp
  • Tornado
  • Litestar

JavaScript / TypeScript

  • Express
  • Fastify
  • NestJS
  • Next.js (App Router and Pages Router)
  • Hono
  • Koa
  • Hapi
  • Elysia
  • AdonisJS
  • tRPC

Go

  • net/http
  • Gin
  • Echo
  • Chi
  • gorilla/mux
  • Fiber

Salesforce

Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce, and metadata) is covered by the separate Vulkro for Salesforce product (the vulkro-sf binary), not by this scanner. See the Vulkro for Salesforce docs.

Cross-cutting

  • GraphQL (Apollo, graphql-yoga, Strawberry, graphene)
  • gRPC
  • WebSocket (ws, Socket.IO, Starlette WebSockets)
  • React (client-side surface for XSS and DOM-sink analysis)
  • Angular (same)

Package ecosystems for dependency CVE matching

EcosystemManifests parsedResolved version fromStatus
npmpackage.jsonpackage-lock.jsonParsed
PyPIrequirements*.txt, Pipfile, pyproject.tomlpoetry.lock, Pipfile.lockParsed
Go modulesgo.modgo.mod (MVS)Parsed
crates.ioCargo.tomlCargo.lock (manifest dir or workspace root)Parsed
Mavenpom.xml (<dependencies>)<version> / <properties> (no parent-POM / BOM)Parsed
Gradlebuild.gradle, build.gradle.kts-Not yet
RubyGemsGemfile, Gemfile.lock-Not yet
Packagistcomposer.json, composer.lock-Not yet
NuGet*.csproj, packages.config-Not yet

The live OSV lookup covers every Parsed ecosystem. Fully offline (VULKRO_OFFLINE=1) matching additionally needs that ecosystem's file in the local CVE bundle; the default bundle ships npm + PyPI (build a wider one with the bundler's --ecosystems flag).

Linux distro packages (container scanning)

For vulkro container against Docker images:

  • Alpine
  • Debian
  • Ubuntu
  • Rocky Linux

Distro coverage is opt-in because the per-distro CVE feed is large. Enable it with the container ecosystem flag on vulkro update.

Infrastructure-as-code

Vulkro statically analyses these formats for misconfiguration:

  • Terraform (*.tf)
  • Kubernetes manifests (*.yaml)
  • Helm charts (values.yaml, templates)
  • Docker Compose (docker-compose.yml, compose.yaml)
  • Dockerfiles
  • nginx, Apache (nginx.conf, *.conf)

What "not yet supported" means in practice

If your stack uses a language or framework that is not on the lists above:

  • Endpoint discovery will not enumerate your routes automatically.
  • Taint analysis will fall back to generic sources / sinks and may miss framework-specific patterns.
  • Reachability gating will be less precise: findings tagged as "reachable" are conservatively over-reported rather than missed.
  • Secrets, dependency CVE, IaC, and container scans are unaffected and continue to work.

The honest read: Vulkro is most accurate on the stacks listed here. We add new frameworks every release based on what paying customers ship.