Vulkro vs CodeScan
AutoRABIT CodeScan is the most common commercial scanner for Salesforce code review. It ships a SaaS dashboard, integrates with the AutoRABIT DevOps suite, and bundles roughly 500 PMD-derived rules. For Salesforce teams already inside AutoRABIT's ecosystem it is the default upgrade from raw PMD.
Vulkro plays in the same audience: Salesforce ISVs, consultancies, and in-house Salesforce platform teams that need deeper coverage than sfdx-scanner provides. The architectural distinction is sharp.
At a glance
| Vulkro | CodeScan | |
|---|---|---|
| License | Closed-source detectors. Free tier, or Pro per-term, no auto-renewal | SaaS, per-user-per-month, auto-renews |
| Runs where | Your laptop | SaaS (cloud-hosted analysis) |
| Client code uploaded | Never | Yes (snapshots to AutoRABIT cloud) |
| Pricing model | Per-engagement license (Consultancy Pack: $1,499 / 10 floating activations / 1 year) | Per-user / month, scales with headcount |
| Per-org incremental cost | $0 (unlimited Salesforce orgs per activation) | per-user |
| Air-gap support | Native (VULKRO_OFFLINE=1) | Not supported |
| Rule engine | Custom Apex / Flow / Metadata detectors built on tree-sitter | PMD + custom rules |
| CRUD/FLS taint | Inter-procedural, cross-class call graph | Pattern-based |
| IDOR / BOLA detection | Per-method analysis with ownership-check heuristic | No |
| Mass-assignment via JSON.deserialize | Yes | No |
| Flow XML deep analysis | Yes (runInMode, system DML, hardcoded IDs) | Limited |
| Named credential audit | Yes (hardcoded passwords, missing IP restrictions, cleartext endpoints) | No |
| Connected app OAuth scope audit | Yes | No |
| PII mapping for standard SObjects | Yes (Account, Contact, Lead, Opportunity, Case, User) | No |
| AppExchange Security Review report | Yes (10 sections, pinned to checklist version) | No |
| Multi-org engagement bundle | Yes (one zip with per-org HTML + NIST 800-53 + SOC 2 index) | Manual |
| Languages beyond Salesforce | Python, JS/TS, Go, Ruby, Java/Kotlin, C#, PHP, Apex | Apex / VF / LWC / Flow only |
| Public benchmark | Reproducible | Vendor-published claims only |
The architectural distinction
CodeScan is a SaaS product. The dashboard lives in AutoRABIT's cloud. To use it, you connect your repository, the platform pulls your code, runs analysis server-side, and stores findings in a shared account. Pricing scales per-user-per-month and auto-renews unless you cancel.
Vulkro is offline-first. The detector engine, the CVE bundle, and the Salesforce-specific rules all live in a single static binary that runs on the consultant's laptop. No upload, no account, no SaaS dashboard. The Consultancy Pack price is fixed per year per laptop, independent of how many client orgs that laptop scans.
The contrast matters in three buyer scenarios:
1. Consultancies with client confidentiality clauses
Every consulting engagement starts with an NDA. Most modern client NDAs ask whether your audit tools are "third-party data processors." With CodeScan, the answer is yes (their cloud analyzes the client code). With Vulkro, the answer is no (nothing leaves the consultant's laptop). Procurement teams are getting trained to flag SaaS code scanners; Vulkro removes the question entirely.
2. Salesforce ISVs prepping for AppExchange Security Review
The submission is competitive (your managed package is, by
definition, an unreleased product). Sending the source code to a
SaaS analyzer is a privacy decision worth pushing back on. Vulkro
plus the sf-appexchange-report subcommand keeps the prep
entirely on the developer's machine.
3. Teams burned by per-user SaaS billing
If you have 3 consultants and 10 client engagements per year, CodeScan at $25 / user / month is $900 a year. The Vulkro Consultancy Pack is $1,499 a year for 10 floating activations sharing one team_id, with no per-org and no per-client cost. That is competitive at 3 to 5 consultants, decisive above 5, and the savings compound the more client engagements you run per laptop.
Coverage depth
CodeScan inherits PMD's rule set plus a custom rule library on top. That gets you a wide net of style and pattern rules but limited interprocedural analysis. The places this shows up:
- CRUD/FLS posture per method. A class with a private helper
that does
Schema.SObjectType.Account.isUpdateable()followed by a public@AuraEnabledmethod that calls the helper before DML is enforced. CodeScan's pattern rules cannot see the delegation across method boundaries. Vulkro builds the intra-class call graph and follows it, then extends across classes via the project-wide method table. Result: false positives drop, real gaps surface. JSON.deserializemass-assignment. A pattern like(Account) JSON.deserialize(payload, Account.class)followed later by DML on the deserialized object only matters if the payload is request-derived. Vulkro tracks the source; CodeScan flags the deserialize regardless.- Open redirect.
PageReferenceconstructed from a request param. Vulkro distinguishes inline-tainted (High) from variable-mediated (Low, because sanitiser wrappers may exist).
Pricing
| Vulkro | CodeScan | |
|---|---|---|
| Smallest paid tier | $19 / month Pro Monthly (single dev) | per-user contract |
| Mid tier | $79 / 5 seats Pro Team | per-user contract |
| Consultancy | $1,499 / year / 10 floating activations | per-user / month |
| Submission Pack (ISV) | $499 / 90 days | n/a |
| Enterprise | Contact | Contact |
| Auto-renewal | Never | Yes |
The Consultancy Pack ($1,499 / year for 10 floating Pro activations) and the AppExchange Submission Ready Pack ($499 / 90 days) are both sold by inquiry while we validate the audience. Email [email protected] to start a conversation.
Migration
There is no migration. Vulkro is a CLI you install on the consultant's laptop. Existing CodeScan dashboards, integrations, and licenses can keep running while you trial Vulkro on a single engagement. Compare findings side by side on the same client repo and pick the tool that fits.
What CodeScan does that Vulkro does not
Honest comparison. CodeScan has things Vulkro does not:
- AutoRABIT DevOps integration. If you are already on AutoRABIT's deployment pipeline, CodeScan slots in. Vulkro is pipeline-agnostic; you wire it up to whichever CI you use.
- Hosted dashboard for cross-team triage. Vulkro's Web UI is single-laptop. Multi-team triage on a shared dashboard is on CodeScan's side.
- Quality-gate ecosystem. SonarQube-style quality gates with long-running trend dashboards is CodeScan territory; Vulkro ships baseline + ratchet at the CLI level but is not a quality platform.
Pick CodeScan if those are your priorities. Pick Vulkro if the data-handling posture, per-engagement economics, or coverage depth matters more.
Talk to us
Email [email protected]