JavaScript and TypeScript
Vulkro does full source analysis for JavaScript and TypeScript, including the Node.js server frameworks and the client-side XSS / DOM-sink surface. Both languages are in the Free tier - no account upgrade needed for the deep analysis (an account and sign-in are still required to scan; see Accounts).
Project detection
Vulkro recognises the project from package.json and resolves installed
versions from package-lock.json. TypeScript sources are analysed directly;
no build step or type-check is required.
vulkro scan .
vulkro discover . # endpoint map only
Frameworks
Endpoint extraction understands:
- Express
- Fastify
- NestJS
- Next.js (App Router and Pages Router)
- Koa
- Hono
- Hapi
- Elysia
- AdonisJS
- tRPC
Cross-cutting surfaces also covered:
- GraphQL (Apollo, graphql-yoga)
- gRPC
- WebSocket (
ws, Socket.IO) - React and Angular client surfaces (for XSS and DOM-sink analysis)
Router composition is followed so recorded paths match what the server serves
(for example Express Router mounts and Next.js route segments).
Access model
Each endpoint is tagged with an AuthTier (Anonymous / User / Admin / Service
/ Machine / Unknown), its scopes, and its tenant-scoping. The BOLA / IDOR and
broken-authentication rules consult this metadata so findings already covered
by a visible auth gate are suppressed. Java, Python, and Go share the same
endpoint model, and all of them flow into the OWASP API Top 10 checks.
Taint analysis
Vulkro runs an interprocedural taint pass for JS/TS. It follows data from a request-bound source through function calls to a dangerous sink.
Sources include req.body, req.query, req.params, req.headers, the
equivalents in Next.js route handlers, and route-handler parameters. Sinks
include SQL query builders (knex.raw, sequelize.query, db.query,
pool.query), child_process.exec, eval / Function(...), fetch(...)
(SSRF), redirect(...) (open redirect), template-as-string XSS, and
__proto__ writes (prototype pollution). Findings carry the source-to-sink
hop chain (SARIF codeFlows).
Loop-carried taint is off by default; enable the worklist engine with
VULKRO_TAINT_CFG=1 (JS/TS and Python only). See
Taint analysis for the full source / sink /
sanitiser model and its limits.
Dependencies
npm dependencies from package.json (resolved via package-lock.json) are
matched against the local CVE bundle. JS/TS is also covered by the npm
reachability annotation: CVE findings for a curated set of high-traffic
packages are tagged [reachable] or [unreachable] by call-shape. See
Dependencies and CVEs and
Reachability.
Related detectors
The AI-generated-code surface (slopsquatted package names, RAG-index safety, CI/CD pipeline injection) applies to JS/TS. See New detectors.
Useful commands
vulkro scan .
vulkro discover . --format json
vulkro dataflow .
vulkro explain JS-TAINT-SQL-001