Skip to main content

Am I exposed? Answered in under a second, offline.

It is 3am and an advisory just dropped. A dependency you might be pulling in (directly or five levels deep) has a fresh CVE, or a maintainer account got hijacked and a poisoned release went out to a registry your lockfiles pin against. The only question that matters right now is: am I exposed to this specific package@version, and if so, where.

Most teams answer that by grepping lockfiles by hand, opening the dependency tree in a browser tab, and guessing. Vulkro answers it in under a second, on your machine, with nothing uploaded.

Instant exposure check: vulkro respond

vulkro respond answers "am I exposed to this advisory or this package@version" in under a second, offline. It walks your lockfiles plus per-file imports (both direct and transitive) through a cached reverse index, so the moment you paste in the affected package it tells you whether you pull it, which of your files reach it, and by what path.

This is built for the advisory-drop moment. No account, no upload, no waiting on a cloud scan queue. The reverse index is cached, so the answer comes back at the speed of a local lookup, not a full re-scan. When the security channel lights up, you get to say "we pin it in two services, here are the files" before the thread has finished loading.

If all you have is the package name and you want a fast, free second opinion, the open-source Vulkro Labs tool answers "is this specific package safe" instantly too:

curl -fsSL https://dist.vulkro.com/install-live.sh | bash
vulkro-live verify <package@version>

The vulkro engine itself stays closed and licensed. vulkro-live is the free, open-source Labs tool, and it is the fastest way to sanity-check a single package the instant an advisory lands.

Reachability, so you fix the reachable ones first

A CVE list sorted by CVSS is noise at 3am. Vulkro's dependency checks are reachability-ranked: they combine OSV, NVD, CISA KEV, and FIRST.org EPSS (all offline, from a signed bundle) and then rank so that what you can actually reach rises to the top.

When a new CVE lands, KEV entries and high-EPSS issues rise, and issues sitting in code you never call rank lower. The result is a worklist you can act on in order, instead of a wall of equal-weight advisories.

Vulkro ranks reachable first. It does not claim to prove exploitability. The point is triage: spend the first hour on the CVE that sits in a code path your app actually executes and that attackers are actively using, not on the one buried in a dev-only transitive you never import.

Compromised releases, the moment your lockfile pins one

Reachability handles the CVE case. The other 3am case is a supply-chain compromise: a hijacked release, a maintainer takeover, a poisoned post-install script. Vulkro ships a compromised-release catalog covering known incidents (event-stream, xz, @solana/web3.js, and the growing list of others). The moment your lockfile pins one of those hijacked releases, you hear about it.

That turns "did the thing I read about on the security feed touch us" from an afternoon of manual archaeology into a one-command answer.

Attack paths to your critical sinks

Knowing you are exposed is step one. Knowing whether the exposed code sits behind an auth check is step two. Vulkro's attack-path graph walks each entry point forward to the reachable critical sinks (raw SQL, subprocess, file writes, network callouts, and the like) and flags the hops that are missing an auth check.

During an incident that tells you which exposed paths are actually reachable from an unauthenticated request, so you can prioritise the one that a stranger on the internet can hit over the one that requires an admin session.

Everything offline, nothing uploaded

Every step here runs on your machine. vulkro respond, the reachability ranking, the compromised-release catalog, and the attack-path graph all read local state and a signed offline bundle. Your source, your lockfiles, and your dependency graph never leave the machine, so incident response does not become its own data-handling event that your security team has to sign off on.

Get started

curl -fsSL https://install.vulkro.com | sh

# When an advisory drops:
vulkro respond <package@version>

See the full feature list for how respond, the reachability ranking, and the attack-path graph fit together, the supply-chain page for the dependency and compromised-release coverage, and the comparison for how offline triage stacks up against cloud SAST. The benchmark has the reproducible detection numbers.