Install Vulkro for Salesforce

Vulkro for Salesforce ships as a single binary named vulkro-sf. It is a sibling of the general vulkro scanner on the shared engine: same release feed, same SHA-256 verification, same install target selection. The two binaries are independent, so install both side-by-side if you audit Salesforce and non-Salesforce code from the same machine.

One-line install (macOS, Linux, Windows)

curl -fsSL https://dist.vulkro.com/install-sf.sh | bash

The installer:

Detects your OS and architecture.
Fetches the matching vulkro-sf binary from the Vulkro release feed.
Verifies the SHA-256 checksum against the published .sha256 file.
Installs to /usr/local/bin/vulkro-sf, falling back to ~/.local/bin if /usr/local/bin is not writable.

Confirm the install:

vulkro-sf --version
vulkro-sf --help

Configurable installer

The installer accepts flags and environment overrides:

# Pin a specific tag.
curl -fsSL https://dist.vulkro.com/install-sf.sh | bash -s -- --version v0.1.0

# Change the install destination.
curl -fsSL https://dist.vulkro.com/install-sf.sh | bash -s -- --bin-dir ~/.local/bin

# Use an alternate CDN (air-gapped mirror, etc.).
VULKRO_CDN=https://mirror.example.com curl -fsSL https://mirror.example.com/install-sf.sh | bash

Environment overrides: VULKRO_SF_VERSION, VULKRO_SF_BIN_DIR, VULKRO_CDN. The script falls back to VULKRO_VERSION and VULKRO_BIN_DIR so settings shared with the general installer keep working.

From source

If you are tracking detectors on the unreleased feature branch or running an air-gapped build, install from a repo checkout:

cargo install --path crates/vulkro-sf

This produces the same single-binary, no-runtime-dependency shape as the published release.

Optional: Salesforce CLI for the live-org connector

vulkro-sf scans local SFDX source without any Salesforce CLI installed. The optional vulkro-sf org subcommands (status, perms, packages) read live org metadata through your existing sf CLI login; those subcommands require the Salesforce CLI on PATH.

# macOS:
brew install salesforce-cli

# Linux / Windows / macOS:
npm install -g @salesforce/cli

Then authenticate the org once. The OAuth token is stored by the sf CLI in its credential store on your laptop, not in Vulkro.

sf org login web --alias my-prod

If sf is not installed when you invoke a vulkro-sf org command, the error message prints the exact brew install or npm install -g command to fix it.

Privacy: what the org connector reads

The live-org subcommands read metadata only. Everything below comes from the Salesforce Metadata API and the Tooling API. No SOQL or Bulk queries are issued against your business records.

What `vulkro-sf org` reads

Profiles and Permission Sets (including assignments).
SecuritySettings: session timeout, clickjack, CSRF, HTTPS, password policy, login IP ranges.
Sharing rules and Org-wide defaults.
Connected Apps and their OAuth scopes.
Named Credentials and External Credentials.
Flow definitions and process automation.
GenAiFunction declarations (Agentforce actions) and target Apex classes.
Installed packages (managed and unmanaged) with version and license.
Static Resources (for hardcoded API key scanning).

What `vulkro-sf org` does NOT read

No customer records.
No Accounts, Opportunities, Leads, Cases, Contacts, custom-object rows.
No file attachments, ContentVersions, ContentDocuments.
No SOQL SELECT against any sObject that contains business data.
No Bulk API queries.

Where the OAuth token lives

In the official sf CLI credential store on your laptop. The connector asks sf to perform the metadata fetch; sf returns the metadata response. Vulkro never sees the access token, never stores it, never transmits it. Revoke org access through Salesforce Setup the same way you would for the sf CLI itself.

Commands

Command	What it does	Live org needed?
`vulkro-sf scan [PATH]`	Run the engine detectors over an SFDX project or retrieved metadata	no
`vulkro-sf scan --metadata-only [PATH]`	Skip project detection and the Apex requirement	no
`vulkro-sf antipatterns [PATH]`	Salesforce Well-Architected anti-patterns (AP-001 to AP-014)	no
`vulkro-sf appexchange-report [PATH] -o report.html`	AppExchange Security Review readiness HTML	no
`vulkro-sf org status --target-org <alias>`	Verify connectivity and print org identity	yes
`vulkro-sf org perms --target-org <alias>`	Permission-set / profile over-privilege + dormant admins	yes
`vulkro-sf org packages --target-org <alias>`	Installed package risk (beta / unmanaged)	yes

Exit codes follow the standard contract: 0 for success with no findings, 1 for findings reported, 2 for error.

Where to go next

Methodology - the master reference for what a safe Salesforce app should be, plus Vulkro's detector-by-detector coverage matrix.
AppExchange readiness report - what vulkro-sf appexchange-report produces and how to read it.
Salesforce ISVs (use case) - the buyer-facing overview of how AppExchange submitters use the product.
Salesforce consultancies (use case) - the per-engagement audit pattern.

One-line install (macOS, Linux, Windows)​

Configurable installer​

From source​

Optional: Salesforce CLI for the live-org connector​

Privacy: what the org connector reads​

What vulkro-sf org reads​

What vulkro-sf org does NOT read​

Where the OAuth token lives​

Commands​

Where to go next​