Skip to main content

Vulkro vs Semgrep

Two things separate Vulkro from Semgrep CE, and they are the two things this page leads with:

  1. Your source code never leaves your machine. Vulkro is an offline single binary. No account, no telemetry, no cloud step, ever.
  2. It beats Semgrep CE on a published, reproducible benchmark. On our published corpus Vulkro found 2.9x more catalogued bugs than Semgrep CE (44 vs 15) at higher precision (0.81 vs 0.62), in the same total scan time. The harness, the corpus, and the scoring code are all public, so you can re-run it yourself.

Semgrep is the most widely deployed static analysis tool in its space. It's well-engineered, has thousands of community rules, and runs in pre-commit hooks across half the ecosystem. The honest framing is that the two tools target different points in the build / privacy / accuracy trade-space. This page makes the distinction concrete.

At a glance

VulkroSemgrep CESemgrep AppSec Platform
LicenseClosed-source detectors. Free tier, or Pro per-term, no auto-renewalOpen-source (LGPL 2.1)SaaS, per-developer, auto-renews
Runs whereYour machineYour machineYour machine OR Semgrep cloud
Source code uploadedNeverNot in CEWhen using cloud features (configurable)
Cross-file analysisYesNo (single-file scope)Yes (Pro engine)
TelemetryNoneOpt-out anonymous usageYes, in cloud tier
Rule authoringYAML (regex or AST mode, P3.1)YAML (code-like patterns)Same as CE + cloud-managed packs
Custom-rule reuseSemgrep YAML import shim (P3.2)NativeNative
CVE / SCA matchingLocal CVE bundle (OSV+NVD+KEV+EPSS)Separate semgrep supply-chain tierCloud-side
OWASP API Top 10 coverageAll 10 + LLM 01/06Community rules; coverage variesSame + curated packs

Benchmark numbers

Measured on our published corpus, July 2026: 15 deliberately vulnerable public codebases with 90 catalogued bugs, of which 76 sit in the languages Vulkro analyzes deeply (JS/TS, Python, Go). Scored at Vulkro's default high-confidence setting. Same machine, same pinned commits, same scoring for every tool.

VulkroSemgrep CE 1.136.0
Catalogued bugs found (of 76)4415
Precision (how few false alarms)0.810.62
Recall (how many real bugs found)0.580.20
F1 score (overall accuracy)0.680.30
Total scan time36.1s36.6s

One honesty note: in July 2026 we grew our own ground truth from 69 to 90 catalogued bugs and published the recall drop that came with it. The corpus is versioned and the numbers regenerate from one command.

Reproducible via bench/comparison/run.sh --tier1 --tools vulkro,semgrep from a checked-out Vulkro release tag. The harness (bench/comparison/) and the ground-truth corpus (bench/comparison/groundtruth/) are public, so the numbers above are not vendor claims: clone the corpus, run the same commands, and get the same figures.

The locked numbers matching each release are appended to CHANGELOG.public.md, anchored to a git describe tag so the claims stay reproducible.

The architectural distinction

The split between Vulkro and Semgrep CE is where the analysis runs and what data leaves the machine:

  • Vulkro: detection engine + CVE bundle live on the same machine that holds the source. VULKRO_OFFLINE=1 enforces this at the process boundary. The only network call is vulkro update (signed bundle fetch from dist.vulkro.com), opt-out.
  • Semgrep CE: same posture in default mode. Source stays local. The CE binary doesn't phone home for findings, only for opt-out anonymous usage telemetry.
  • Semgrep AppSec Platform: source can be uploaded to Semgrep's cloud for the cross-file Pro engine to run, the AI Assistant to triage, or the Supply Chain database to match against. Read Semgrep's terms before pointing the Pro engine at a repo with customer data.

The split between Vulkro and Semgrep AppSec Platform is closed-source detectors with a public benchmark vs SaaS-managed detectors with vendor-published claims. Vulkro ships the benchmark harness (bench/comparison/) and the ground-truth corpus (bench/comparison/groundtruth/); anyone can reproduce the precision / recall numbers. Semgrep's curated detection rules are managed in the cloud and not externally verifiable to the same degree.

Where Semgrep wins

Concessions first, because they are real:

  • The rule ecosystem is much bigger. Thousands of community and registry rules against Vulkro's built-in detector set plus a strict YAML import shim. If your detection profile is dominated by language-specific conventions (Python null-check patterns, JS async-handler idioms), Semgrep's community packs have coverage Vulkro does not.
  • Custom rule authoring is its core strength. Semgrep's code-like pattern syntax is the best rule-writing experience in the category. Vulkro's custom rules are narrower (regex or AST mode).
  • More languages. Semgrep parses far more languages than Vulkro's deep-analysis set (JS/TS, Python, Go).
  • It already runs everywhere. If your team has invested in Semgrep CI wiring and authored rules, that investment is a real switching cost.

When to pick Vulkro

  • Your data-handling policy or contract forbids source upload to any third party, including for "evaluation" or "optional cloud features" tiers.
  • You want CVE / SCA coverage in the same scan as SAST (one binary, one report, one CI step).
  • You need cross-file taint flow as a default (no separate Pro engine to enable).
  • You want the OWASP API Top 10 + LLM Top 10 (LLM01 / LLM06) out of the box.
  • You want a per-term license with no auto-renewal (Vulkro Pro is $39/month or $349/year; the term expires and the CLI keeps working, only the new detector packs stop while the free CVE bundle keeps updating).

Migration: bring your Semgrep rules to Vulkro

vulkro rules import-semgrep ./semgrep-rules.yaml translates a strict subset of Semgrep YAML into Vulkro's CustomRule format. Field-level translation:

  • id, message, languages, fix → direct
  • severity: INFO → low, WARNING → medium, ERROR → high
  • metadata.cwe → vulkro cwe
  • pattern: best-effort regex translation ($IDENT.+?, ....*)

Compound shapes (pattern-either, pattern-not, patterns: AND-composition) are skipped with a per-rule stderr warning naming the unsupported feature. See P3.2 in the CHANGELOG for the full grammar.

Try both side by side

# In your project root:
vulkro scan . --format sarif > vulkro.sarif
semgrep --config p/owasp-top-ten --sarif --output semgrep.sarif

# Diff in your favourite SARIF viewer.

Both tools emit SARIF; GitHub Code Scanning ingests either format. The split-and-compare workflow is the fastest way to see whether Vulkro's defaults match your codebase before you commit to a license.


See also: Vulkro vs Bearer, Vulkro vs Snyk, Safety, CVE bundle changelog.