Free SAST for open-source maintainers.
Open-source maintainers have a paradoxical security problem. Your code is already public so the privacy argument for cloud SAST evaporates. But every commercial scanner requires an account, scales price by contributor count, and assumes a paid relationship. The "free" tiers of the big SaaS scanners are shallow on purpose; community editions sit at 22-45% recall on modern bug benchmarks. The free options that actually work (CodeQL) are locked to one CI provider.
Vulkro Free is the missing tier: full SAST on the public benchmark, permanent free with no card, no account, and no contributor-count cap.
What you get on the Free tier
| Capability | Free |
|---|---|
| Languages | Python, JavaScript, TypeScript, Go |
| Frameworks | FastAPI, Flask, Django, Express, Fastify, NestJS, Next.js, gRPC, GraphQL, Gin, Echo, and ~30 others |
| OWASP API Top 10 | Yes |
| Supply chain catalog | Compromised release detection (event-stream, ua-parser-js, xz-utils, the Axios March 2026 incident, others) |
| Secrets scanning | Yes, with entropy + provider-family regex |
| Auth / IDOR / injection / mass-assignment | Yes |
| Output formats | Table, JSON, NDJSON, SARIF, gh-pr inline comments |
| CVE bundle updates | Same schedule as Pro |
| MCP host audits + extension audits | Yes |
vulkro respond incident response | Yes |
vulkro scan-mcp-server (the 8-detector MCP pack) | Yes |
| Unlimited repos | Yes |
Pro tier adds extended languages (Ruby, Java/Kotlin, C#, PHP, Apex), deep detector packs, compliance evidence, portfolio, and the heavy output formats (CycloneDX, SPDX, CBOM, PDF, RoPA). Free remains the right tier for almost all OSS use cases.
GitHub Actions in 8 lines
name: vulkro
on: [pull_request, push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: curl -fsSL https://install.vulkro.com | sh
- run: vulkro scan --format sarif --output vulkro.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vulkro.sarif
That posts findings to the GitHub Code Scanning tab, the same surface that CodeQL writes to. Vulkro and CodeQL coexist on different rule sets and either both pass or you triage the delta.
Baseline + ratchet for legacy projects
A 10-year-old repo will not pass a fresh SAST scan on day one. Vulkro's baseline workflow is built for the retrofit case:
vulkro scan --baseline .vulkro-baseline.json # writes current state
# commit the baseline
vulkro scan --ratchet # only NEW findings fail
After that, contributors only see findings their PR introduces. Existing debt becomes a separate "burn down the baseline" project, on whatever cadence you have time for.
Inline suppressions when you need them
# vulkro:disable[hardcoded-secret] until=2026-08-01 reason="test fixture"
TEST_API_KEY = "sk-test-1234567890"
The until= date is a soft deadline: once it passes, Vulkro
keeps honouring the suppression but emits a low-severity
suppression-expired finding so you remember to revisit. Same
mechanism works for any rule id.
Honest comparison to the alternatives
| Vulkro Free | Semgrep CE | CodeQL via GHAS | Snyk Open Source | |
|---|---|---|---|---|
| Account required | No | No | GitHub | Yes |
| Cost | $0 (permanent) | $0 (CE) | $0 for public repos | $0 (free tier) |
| Languages | Py, JS, TS, Go (Free); +5 in Pro | 30+ | 11 | 10+ |
| Catalogued bugs caught (Tier 1 bench) | 42/55 | 12/55 | n/a | n/a |
| F1 at production setting | 0.68 | 0.32 | n/a | n/a |
| Cross-file taint flow | Yes | Pro-tier | Yes | Yes |
| CI provider lock-in | None | None | GitHub-only | None |
| Supply chain catalog | Yes | Pro-tier | No | Yes |
| Telemetry | None | Optional, on by default | None | Mandatory |
(Tier 1 bench numbers reproducible via
bench/comparison/run.sh --tier1.)
Contributors
If your project ends up using Vulkro and you want a Pro license for the maintainer team at no charge, email [email protected] with a link to the repo. Active maintainer teams of meaningful OSS projects get Pro licenses for free.