vulkro-sf serve
Boots the embedded Vulkro for Salesforce console - a local Axum
server that ships inside the vulkro-sf binary and serves the bundled
React UI from memory. The console is the web-UI view of every other
subcommand: project picker, scan runner, findings triage, code surfaces
(Apex / LWC / Aura / Flow / Visualforce), security tabs (taint,
sharing, injection, secrets, Connected Apps), org posture, PII map,
Agentforce inventory, anti-patterns, AppExchange readiness, license,
and scan history.
The server runs on 127.0.0.1 by default (loopback only - other
machines on your network cannot reach it). Nothing is uploaded to us,
nothing leaves the machine, and the SQLite database that holds your
scan history lives on local disk.
Synopsis
vulkro-sf serve [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--port <N> | int | (OS-picked free high port) | Bind a specific TCP port instead of letting the OS pick one. Overrides VULKRO_SF_PORT. |
--no-browser | bool | off | Do not auto-open your default browser after the server starts. Use for headless / CI / container runs. |
Environment variables
For self-hosted or containerized deployments:
| Variable | Default | Description |
|---|---|---|
VULKRO_SF_BIND | 127.0.0.1 | Bind IP. Loopback by default (local-only). Set to 0.0.0.0 to expose the console on the network. The console has no built-in authentication: a non-loopback bind MUST sit behind a reverse proxy that adds auth and TLS. |
VULKRO_SF_PORT | (OS picks) | Fixed port. Overridden by --port when both are set. |
VULKRO_SF_DATA_DIR | ~/.vulkro-sf/data | Directory for the SQLite database and on-disk state. Point this at a mounted volume when running in a container. |
What you get inside the console
The console groups every feature behind eight top-level tabs:
- Overview - per-project risk summary, recent scans, headline artefacts (the readiness report and the latest finding pack).
- Code - findings list, per-module rollup, codebase map, data-flow trace, generated API docs, and one tab per Salesforce surface: Apex, LWC / Aura, Flow, Visualforce.
- Security - issue triage and the focused security lenses: taint analysis, access control, RBAC, CRUD / FLS enforcement, sharing, injection, CSRF, privacy, secrets, git-history secret scan, and Connected Apps.
- Platform - the Salesforce-platform surfaces that sit above source: org posture, identity (profiles and permission sets), structure map, PII map, and Agentforce action inventory.
- Quality - anti-pattern catalog runs (AP-001 through AP-058), Apex test coverage (source-side, estimated from the SFDX project), live-org coverage (per-class line coverage as the connected Salesforce org reports it through the Tooling API), and complexity. The live-org coverage sub-tab is the ground truth the AppExchange reviewer reads; the source-side sub-tab is the static estimate available before deployment.
- Activity - per-scan trends, contributor activity, hotspot files, and gate-history.
- AppExchange - the AppExchange Security Review readiness report and the per-section checklist.
- More - scan history, longer-term trends, license state, and output formats (SARIF, HTML, anti-pattern report).
The same data is also reachable from the CLI: vulkro-sf scan
populates the Code and Security tabs, vulkro-sf antipatterns
populates the Quality tab, vulkro-sf org status / perms / packages
populate the Platform tab, and vulkro-sf appexchange-report
populates the AppExchange tab.
Examples
# Default: pick a free port, bind loopback, open your browser.
vulkro-sf serve
# Pin the port so a saved bookmark keeps working.
vulkro-sf serve --port 7070
# Headless mode for CI or remote tunnels.
vulkro-sf serve --port 7070 --no-browser
# Self-hosted container behind a reverse proxy.
VULKRO_SF_BIND=0.0.0.0 \
VULKRO_SF_PORT=7070 \
VULKRO_SF_DATA_DIR=/var/lib/vulkro-sf \
vulkro-sf serve --no-browser
Exit codes
0- served and shut down cleanly (Ctrl-C).2- error: bad bind address, the requested port is already in use, orVULKRO_SF_DATA_DIRis not writable. The error message names the cause and the next step (e.g. "port 7070 in use. Try:vulkro-sf serve --port 0to let the OS pick a free port").
Where to go next
- vulkro-sf scan - run a security scan from the CLI; results show up in the Code and Security tabs.
- vulkro-sf antipatterns - run the Well-Architected anti-pattern catalog from the CLI; results show up in the Quality tab.
- Self-hosting - the full setup for putting the console behind a reverse proxy with authentication and TLS.