Skip to main content

Vulkro vs Bearer

Two things lead this comparison:

  1. Your source code never leaves your machine. Both tools take a "never upload source" stance, so this is a tie on intent, but Vulkro is a single offline binary with no account and no telemetry of any kind.
  2. Vulkro beats Bearer on a published, reproducible benchmark. On our published corpus Vulkro reported more catalogued bugs than Bearer 2.0.2 (44 vs 37) with 6.7x fewer false positives (10 vs 67), at roughly 7x Bearer's speed (36.1s vs 250.0s total). Harness, corpus, and scoring code all public.

Bearer is the SAST tool that made "data-flow first" a category. Instead of CVSS-ordered findings, Bearer scores by the sensitive data type a vulnerability touches: PII, PHI, payment data, and so on. That framing is genuinely useful, and a deliberate influence on how Vulkro thinks about privacy-class findings.

So when do you pick Vulkro over Bearer?

At a glance

VulkroBearer CLIBearer Pro
LicenseClosed-source detectors. Free tier, or Pro per-term, no auto-renewalElastic License 2.0 (free in-house)Commercial; ELv2 with hosted-service restriction
Runs whereYour machineYour machineYour machine / cloud
Source code uploadedNeverNeverNever (claims)
TelemetryNoneOpt-outOpt-out
LanguagesPython, JS/TS, GoGo, Java, JS, TS, PHP, Python, Ruby+ C#, Kotlin, Elixir, VB.Net
Cross-file taintYes (default)LimitedYes (Pro)
Privacy / PII detectionYes (security::pii, security::phi)Yes (120+ data types; flagship feature)Same + advanced GDPR reports
CVE / SCA matchingLocal bundle in same scanSeparate; needs SCA tierSame
API Top 10 + LLMOWASP API:2023 + LLM 01/06API security via rulesSame
Public benchmarkYes (reproducible)Internal claimsInternal claims

Benchmark numbers

Measured on our published corpus, July 2026: 15 deliberately vulnerable public codebases with 90 catalogued bugs, of which 76 sit in the languages Vulkro analyzes deeply (JS/TS, Python, Go). Scored at Vulkro's default high-confidence setting. Same machine, same pinned commits, same scoring for every tool.

VulkroBearer 2.0.2
Catalogued bugs found (of 76)4437
False positives1067
Precision (how few false alarms)0.810.36
Recall (how many real bugs found)0.580.49
F1 score (overall accuracy)0.680.41
Total scan time36.1s250.0s

Two honesty notes. First: the roll-up above excludes the corpus's 3 PHP and Java repos, because Vulkro does not analyze those languages; Bearer does, and it finds real bugs there that Vulkro cannot. Second: in July 2026 we grew our own ground truth from 69 to 90 catalogued bugs and published the recall drop that came with it. The corpus is versioned and the numbers regenerate from one command.

Reproduce them yourself with bench/comparison/run.sh --tier1 --tools vulkro,bearer. The harness and the ground-truth corpus are public, so these are reproducible figures, not vendor claims. The locked numbers matching each release also ship in the public changelog.

The architectural distinction

Both tools take a "never upload source" stance, so the split is narrower than vs Semgrep AppSec Platform or Snyk. The decision hinges on:

  • License model. Bearer CLI is Elastic License 2.0: free for in-house use; you can't offer Bearer as a hosted service to third parties. Bearer Pro adds an explicit commercial license for that case. Vulkro is closed-source detectors with a Free tier and a Pro tier: Free is permanent and needs no card; Pro is a $39 monthly or $349 annual pass that expires (instead of auto-billing) and then drops back to the Free tier.

  • Coverage shape. Bearer is data-type-first; the rule pack is organised around what the code TOUCHES (email, phone, health record). Vulkro is OWASP-API-first; the rule pack is organised around what the code EXPOSES (BOLA, BFLA, mass assignment, SSRF, etc.). Both surfaces matter; pick the one that matches your team's mental model.

  • Verification surface. Vulkro publishes the benchmark harness and the ground-truth corpus (bench/comparison/ groundtruth/). Bearer's precision numbers come from internal measurement that isn't externally reproducible.

Where Bearer wins

Concessions first, because they are real:

  • Privacy reporting is its flagship, and it is better at it. 120+ sensitive data types and data-protection reports built as the primary deliverable. If GDPR, CCPA, or HIPAA reports are what your auditor asks for, Bearer's privacy reporting is deeper than Vulkro's PII/PHI detectors.
  • More languages. Bearer analyzes PHP, Java, and Ruby (and Bearer Pro adds C#, Kotlin, Elixir, VB.Net). On the 3 PHP and Java repos in our own corpus, Bearer finds catalogued bugs that Vulkro does not scan at all.
  • ELv2 in-house use is free. If free-for-in-house licensing is the requirement and you accept the re-hosting restriction, Bearer CLI costs nothing.

When to pick Vulkro

  • Your audit posture is OWASP-API-first, with privacy as one of several axes (Vulkro emits PII/PHI findings, just not as the organising principle).
  • You want CVE / SCA in the same scan rather than a separate Bearer tier.
  • You're auditing a Salesforce codebase (Bearer doesn't cover Apex; the separate Vulkro for Salesforce product does).
  • You want a per-term license that doesn't auto-renew (and drops to a working Free tier on expiry, instead of going dark): the contrast with SaaS billing is a positioning advantage when your procurement team has been burned by renewal surprises.

What we kept from Bearer's playbook

Two ideas in Bearer are good enough to take inspiration from:

  1. Data-flow priority on PII findings. Vulkro's security::pii and security::phi detectors emit findings whose severity is shaped by the data type, mirroring Bearer's data-flow-first approach for that specific category.
  2. Per-finding confidence and remediation text. Bearer's compact remediation snippets influenced how Vulkro renders vulkro explain <ID> output.

The credit lines up; the moat is elsewhere (CVE bundle, OWASP API completeness, reproducible benchmark, no-auto-renewal license).

Try both side by side

# In your project root:
vulkro scan . --format sarif > vulkro.sarif
bearer scan . --output bearer.sarif --report security

# Diff in your favourite SARIF viewer.

Both tools emit SARIF; GitHub Code Scanning ingests either format.


See also: Vulkro vs Semgrep, Vulkro vs Snyk, Safety, CVE bundle changelog.