Skip to main content

Your HIPAA, fintech, or legal code never leaves your machine.

Healthcare, financial services, legal-tech, and any team handling regulated data has a structural problem with cloud-first SAST. Uploading source code (which by definition references your data models, your access-control logic, and your customer-specific business rules) to a vendor cloud is a data-handling event that your security team, your auditors, and your customers' DPAs will all flag.

The current options are usually:

  • Pay enterprise prices for SaaS scanners with a "broker proxy" that mitigates some of the upload while keeping the SaaS control plane.
  • Self-host SonarQube, Semgrep Cloud, or CodeQL with all the operational cost (infrastructure, upgrades, on-call).
  • Skip SAST and hope the next pen test catches it.

Vulkro is the fourth option: a single static binary that runs on your laptop or your CI runner, never phones home, and produces the compliance evidence your auditor wants to see.

What "offline" means here

PropertyVulkroTypical cloud SAST
Source code uploadedNeverYes (some offer encrypted retention)
TelemetryNoneMandatory, account-scoped
Account requiredNoneYes
LLM in the scannerNoneIncreasingly common
Network at scan timeOptional (CVE bundle download or air-gap)Required
VULKRO_OFFLINE=1 enforces zero netYesn/a
Air-gapped CVE bundle deliveryAvailableLimited
Vendor SOC 2 + DPA neededNo (no data shared)Yes

The detection engine and the CVE bundle live in the binary. No proxy, no broker, no encrypted tunnel to "scan in the cloud securely." There is nothing in the cloud to scan against.

Compliance mapping (Free) and signed evidence packs (Pro)

Two levels here, both useful at audit time.

Free: vulkro compliance --profile <name> maps your scan findings to the controls of a published framework. Supported profiles (run vulkro compliance --help for the live list):

  • soc2, iso27001, hipaa (Annex A / Security Rule / Trust Service Criteria)
  • pci (PCI DSS Requirements 6 and 11)
  • nist-ssdf, nist-800-53, stateramp
  • gdpr (Article 30 Record-of-Processing alignment)
  • owasp-asvs, cis, cwe-top25

The output is a control-by-control breakdown showing which findings touch which control. Useful pre-audit to know where the gaps are.

Pro: vulkro compliance-pack --framework <name> renders a signed evidence pack for SOC 2, ISO 27001, or HIPAA. The pack is the artefact you hand to an auditor: control-by-control, with findings cross-referenced, signed so the auditor can verify the report was generated against a specific commit.

Separate: GDPR Record of Processing. vulkro scan --format ropa-html (and --format ropa-md) renders an Article 30 RoPA template populated from the scan's data-flow lineage. Sits alongside the compliance mapping rather than under it.

Air-gapped deployments

For classified, defense, or fully air-gapped environments:

  • The binary is reproducible-builds-friendly (signed releases, hash-pinnable).
  • VULKRO_OFFLINE=1 refuses any network operation, including CVE bundle update checks.
  • CVE bundles ship as signed .vkbundle files you can sneakernet in on a fresh schedule.
  • The Web UI desktop console runs entirely on localhost; no outbound connection.

See the air-gap docs for the full deployment recipe.

Industries we hear from

Healthcare and HIPAA covered entities. EHR vendors, telehealth platforms, billing software, HIPAA-business-associate SaaS. The audit conversation is always "where does the PHI flow." Vulkro's PII and PHI detection plus the data-flow lineage feature gives you that map without uploading the code to a vendor cloud.

Fintech and PCI DSS merchants. Cardholder data flow scoping, crypto weakness audit, hardcoded secret detection, callout-credential review. The PCI DSS 4.0 mapping ships in the Pro tier.

Legal-tech and attorney-client confidentiality. Doc-review platforms, matter management, e-discovery, litigation analytics. The same property that helps healthcare (no upload) is even more pointed here, where attorney-client privilege is at stake.

Defense and classified environments. Single binary, reproducible, air-gappable, no telemetry. See the air-gap docs.

Salesforce in regulated industries. Healthcare on Health Cloud, fintech on Financial Services Cloud, patient-segment campaigns in Marketing Cloud, regulated data bridged into Postgres via Heroku Connect, Wave dashboards exposing PII via CRM Analytics. Each is a separate Pro detector pack that self-gates on the project markers (Health Cloud objects, FSC objects, AMPscript files, Heroku Connect mapping.json, .saql files). The full list of SF Pro packs: /docs/salesforce/appexchange-readiness.

Pricing

  • Free for the core scan (Python, JS, TS, Go).
  • Pro Monthly $19 per month, single machine, no auto-renewal.
  • Pro Annual $149 per year, single machine, no auto-renewal.
  • Compliance packs are Pro features (HIPAA, PCI DSS, SOC 2, ISO 27001, NIST 800-53, GDPR RoPA).
  • Enterprise for multi-machine deployments, air-gapped license server, private rule packs, and a direct line to the Vulkro team. Contact sales for terms.

There is no auto-renewal anywhere. License terms expire and you buy a fresh one if you want to keep the Pro feature set.

Read the manifesto for the "we never see your code" decision. See the benchmark for reproducible detection numbers.