Vulkro vs Semgrep
Two things separate Vulkro from Semgrep CE, and they are the two things this page leads with:
- Your source code never leaves your machine. Vulkro is an offline single binary. No account, no telemetry, no cloud step, ever.
- It beats Semgrep CE on a published, reproducible benchmark. On our published corpus Vulkro found 2.9x more catalogued bugs than Semgrep CE (44 vs 15) at higher precision (0.81 vs 0.62), in the same total scan time. The harness, the corpus, and the scoring code are all public, so you can re-run it yourself.
Semgrep is the most widely deployed static analysis tool in its space. It's well-engineered, has thousands of community rules, and runs in pre-commit hooks across half the ecosystem. The honest framing is that the two tools target different points in the build / privacy / accuracy trade-space. This page makes the distinction concrete.
At a glance
| Vulkro | Semgrep CE | Semgrep AppSec Platform | |
|---|---|---|---|
| License | Closed-source detectors. Free tier, or Pro per-term, no auto-renewal | Open-source (LGPL 2.1) | SaaS, per-developer, auto-renews |
| Runs where | Your machine | Your machine | Your machine OR Semgrep cloud |
| Source code uploaded | Never | Not in CE | When using cloud features (configurable) |
| Cross-file analysis | Yes | No (single-file scope) | Yes (Pro engine) |
| Telemetry | None | Opt-out anonymous usage | Yes, in cloud tier |
| Rule authoring | YAML (regex or AST mode, P3.1) | YAML (code-like patterns) | Same as CE + cloud-managed packs |
| Custom-rule reuse | Semgrep YAML import shim (P3.2) | Native | Native |
| CVE / SCA matching | Local CVE bundle (OSV+NVD+KEV+EPSS) | Separate semgrep supply-chain tier | Cloud-side |
| OWASP API Top 10 coverage | All 10 + LLM 01/06 | Community rules; coverage varies | Same + curated packs |
Benchmark numbers
Measured on our published corpus, July 2026: 15 deliberately vulnerable public codebases with 90 catalogued bugs, of which 76 sit in the languages Vulkro analyzes deeply (JS/TS, Python, Go). Scored at Vulkro's default high-confidence setting. Same machine, same pinned commits, same scoring for every tool.
| Vulkro | Semgrep CE 1.136.0 | |
|---|---|---|
| Catalogued bugs found (of 76) | 44 | 15 |
| Precision (how few false alarms) | 0.81 | 0.62 |
| Recall (how many real bugs found) | 0.58 | 0.20 |
| F1 score (overall accuracy) | 0.68 | 0.30 |
| Total scan time | 36.1s | 36.6s |
One honesty note: in July 2026 we grew our own ground truth from 69 to 90 catalogued bugs and published the recall drop that came with it. The corpus is versioned and the numbers regenerate from one command.
Reproducible via bench/comparison/run.sh --tier1 --tools vulkro,semgrep from a checked-out Vulkro release tag. The harness
(bench/comparison/) and the ground-truth corpus
(bench/comparison/groundtruth/) are public, so the numbers above
are not vendor claims: clone the corpus, run the same commands, and
get the same figures.
The locked numbers matching each release are appended to CHANGELOG.public.md, anchored to a
git describetag so the claims stay reproducible.
The architectural distinction
The split between Vulkro and Semgrep CE is where the analysis runs and what data leaves the machine:
- Vulkro: detection engine + CVE bundle live on the same
machine that holds the source.
VULKRO_OFFLINE=1enforces this at the process boundary. The only network call isvulkro update(signed bundle fetch fromdist.vulkro.com), opt-out. - Semgrep CE: same posture in default mode. Source stays local. The CE binary doesn't phone home for findings, only for opt-out anonymous usage telemetry.
- Semgrep AppSec Platform: source can be uploaded to Semgrep's cloud for the cross-file Pro engine to run, the AI Assistant to triage, or the Supply Chain database to match against. Read Semgrep's terms before pointing the Pro engine at a repo with customer data.
The split between Vulkro and Semgrep AppSec Platform is
closed-source detectors with a public benchmark vs
SaaS-managed detectors with vendor-published claims. Vulkro
ships the benchmark harness (bench/comparison/) and the
ground-truth corpus (bench/comparison/groundtruth/); anyone can
reproduce the precision / recall numbers. Semgrep's curated
detection rules are managed in the cloud and not externally
verifiable to the same degree.
Where Semgrep wins
Concessions first, because they are real:
- The rule ecosystem is much bigger. Thousands of community and registry rules against Vulkro's built-in detector set plus a strict YAML import shim. If your detection profile is dominated by language-specific conventions (Python null-check patterns, JS async-handler idioms), Semgrep's community packs have coverage Vulkro does not.
- Custom rule authoring is its core strength. Semgrep's code-like pattern syntax is the best rule-writing experience in the category. Vulkro's custom rules are narrower (regex or AST mode).
- More languages. Semgrep parses far more languages than Vulkro's deep-analysis set (JS/TS, Python, Go).
- It already runs everywhere. If your team has invested in Semgrep CI wiring and authored rules, that investment is a real switching cost.
When to pick Vulkro
- Your data-handling policy or contract forbids source upload to any third party, including for "evaluation" or "optional cloud features" tiers.
- You want CVE / SCA coverage in the same scan as SAST (one binary, one report, one CI step).
- You need cross-file taint flow as a default (no separate Pro engine to enable).
- You want the OWASP API Top 10 + LLM Top 10 (LLM01 / LLM06) out of the box.
- You want a per-term license with no auto-renewal (Vulkro Pro is $39/month or $349/year; the term expires and the CLI keeps working, only the new detector packs stop while the free CVE bundle keeps updating).
Migration: bring your Semgrep rules to Vulkro
vulkro rules import-semgrep ./semgrep-rules.yaml translates a
strict subset of Semgrep YAML into Vulkro's CustomRule format.
Field-level translation:
id,message,languages,fix→ directseverity: INFO → low, WARNING → medium, ERROR → highmetadata.cwe→ vulkrocwepattern: best-effort regex translation ($IDENT→.+?,...→.*)
Compound shapes (pattern-either, pattern-not, patterns:
AND-composition) are skipped with a per-rule stderr warning
naming the unsupported feature. See P3.2 in the
CHANGELOG
for the full grammar.
Try both side by side
# In your project root:
vulkro scan . --format sarif > vulkro.sarif
semgrep --config p/owasp-top-ten --sarif --output semgrep.sarif
# Diff in your favourite SARIF viewer.
Both tools emit SARIF; GitHub Code Scanning ingests either format. The split-and-compare workflow is the fastest way to see whether Vulkro's defaults match your codebase before you commit to a license.
See also: Vulkro vs Bearer, Vulkro vs Snyk, Safety, CVE bundle changelog.