Skip to main content

Get Vulkro for Salesforce

One binary. Your org, your machine. Talk to us.

Vulkro for Salesforce ships on the shared Vulkro engine as the vulkro-sf binary. Install it in one line, connect your org through your own sf CLI, and scan code plus org posture entirely offline. Tell us how you work and we will get you set up: pick the motion that fits below, or read the methodology first.

Install in one line

The installer downloads the vulkro-sf binary for your platform, verifies its checksum, and puts it on your PATH. The org connector shells out to your own Salesforce CLI, so authenticate that separately.

  • curl -fsSL https://dist.vulkro.com/install-sf.sh | bash
  • npm install -g @salesforce/cli (or brew install salesforce-cli)
  • sf org login web then vulkro-sf serve
Full install guide

ISV submission

Get an AppExchange package through Security Review on the first attempt.

  • Full Apex / LWC / Aura / Visualforce / Flow / metadata scan on your packaged source
  • AppExchange Security Review readiness HTML report, aligned to the published reviewer checklist
  • Reviewer-friendly coverage map: section by section, what Vulkro found and what it cleared
  • Connected App OAuth posture detectors (Drift / Gainsight token-sprawl class)
  • Agentforce ForcedLeak detector (the CVSS 9.4 class-bypass that hit Salesforce in 2025)
  • Source never leaves your machine: offline binary, no telemetry, no upload
Talk to us
Most asked for

Salesforce consultancy

Audit client orgs from your own laptop, one report per engagement.

  • Scan as many client orgs as your engagements need
  • Org connector reuses your existing sf CLI logins; OAuth tokens never leave the official CLI store
  • Client code never leaves the consultant's machine: offline-first, no telemetry, no upload
  • Per-engagement HTML report you can hand to the client
  • Five-pillar coverage: code, org posture, identity, third-party Connected Apps, Agentforce
  • Salesforce Well-Architected anti-pattern detection (AP-001 through AP-014)
  • Support direct from the Vulkro team
Talk to us

In-house team

Continuous security review for your own Salesforce org and codebase.

  • Full Vulkro for Salesforce coverage matrix: code + posture + identity + third-party + Agentforce
  • Set up for your whole Salesforce team
  • AppExchange Security Review readiness report (useful for internal audit even off-AppExchange)
  • Org connector with sf CLI handoff
  • CI-friendly: SARIF output and a baseline-diff gate for PRs
  • Direct line to the Vulkro team
Talk to us

Questions, answered

Do my Apex / LWC sources leave my machine?
No. Vulkro for Salesforce is a local binary. Source never leaves your machine; the org connector reuses your existing sf CLI login so the OAuth token stays in the official CLI credential store, not in Vulkro. See the methodology for the full data-handling statement.
What is the AppExchange Security Review readiness report?
An HTML report (vulkro-sf appexchange-report) that groups every Vulkro finding by the published AppExchange Security Review checklist sections. You hand it to your reviewer; they see, section by section, what Vulkro caught and what it cleared. Documented at /sf/docs/appexchange-readiness.
How does Vulkro for Salesforce compare to CodeScan, Clayton, AppOmni, Obsidian?
Code-only SAST tools (PMD / sfdx-scanner, Clayton, CodeScan) do not cover org posture, identity, Connected Apps, or Agentforce. SSPM tools (AppOmni, Obsidian) do not read your code. Vulkro for Salesforce does both, in one offline binary. Full per-tool breakdown on /sf/compare.

Let's talk about your Salesforce scope.

Tell us whether you are an ISV (AppExchange submission), a consultancy (multi-org audit), or an in-house team, plus your target start date. We reply within one business day.

Email [email protected]Read the methodology