Skip to main content

Supported languages and frameworks

Vulkro does full source analysis on the languages below: it extracts endpoints, builds the route table, reads the access-control model, maps findings to OWASP API Top 10 categories, applies framework-aware taint tracking, and matches dependencies against a local CVE bundle. Everything runs offline.

Tiers

Language depth is split across the Free and Pro tiers. Because your first vulkro login starts a 14-day trial of the full product, every language below is available during the trial. See Accounts.

TierLanguages with full source analysis
FreePython, JavaScript, TypeScript, Go
Proadds Java / Spring, Ruby, Kotlin, C#, PHP
SalesforceApex, Lightning Web Components, Aura, Flow, Visualforce, metadata - the separate Vulkro for Salesforce product (vulkro-sf)

Java and Spring have first-class support: endpoint extraction, access-control extraction from annotations and the security filter chain, 30 dedicated Java detectors, cross-method taint, and Maven dependency-CVE matching. See the Java and Spring page.

Capability matrix

LanguageEndpoint discoveryAccess modelInterprocedural taintDedicated detectorsSCA ecosystem
PythonYesYesYesYesPyPI
JavaScript / TypeScriptYesYesYesYesnpm
GoYesYesYesYesGo modules
Java / SpringYesYesYes (same-file)Yes (30)Maven

Interprocedural taint for Python, JavaScript, TypeScript, and Go follows the project call graph, including across files (bounded depth). Java taint follows same-file call chains; it does not yet cross file boundaries. See Taint analysis.

For any stack not listed above, Vulkro still runs the language-agnostic passes (secrets, infrastructure-as-code, container scanning, and dependency-CVE matching wherever the manifest is one of the parsed ecosystems below), but framework-aware endpoint discovery and taint tracking depend on first-class support. If your stack is missing, email [email protected] with the framework name and a small example repo and we add coverage based on real demand.

Web frameworks

Python

FastAPI, Flask, Django, Django REST Framework (DRF), Django Ninja, Starlette, aiohttp, Tornado, Litestar.

JavaScript / TypeScript

Express, Fastify, NestJS, Next.js (App Router and Pages Router), Hono, Koa, Hapi, Elysia, AdonisJS, tRPC.

Go

net/http, Gin, Echo, Chi, gorilla/mux, Fiber.

Java / Spring

Spring MVC and Spring WebFlux (@GetMapping / @PostMapping / @PutMapping / @DeleteMapping / @PatchMapping / @RequestMapping, class-level base paths included) and JAX-RS (@Path with @GET / @POST / @PUT / @DELETE / @PATCH / @HEAD / @OPTIONS). See Java and Spring.

Salesforce

Salesforce (Apex, Lightning Web Components, Aura, Flow, Visualforce, and metadata) is covered by the separate Vulkro for Salesforce product (the vulkro-sf binary), not by this scanner. See the Vulkro for Salesforce docs.

Cross-cutting

  • GraphQL (Apollo, graphql-yoga, Strawberry, graphene)
  • gRPC
  • WebSocket (ws, Socket.IO, Starlette WebSockets)
  • React (client-side surface for XSS and DOM-sink analysis)
  • Angular (same)

Package ecosystems for dependency-CVE matching

EcosystemManifests parsedResolved version fromStatus
npmpackage.jsonpackage-lock.jsonParsed
PyPIrequirements*.txt, Pipfile, pyproject.tomlpoetry.lock, Pipfile.lockParsed
Go modulesgo.modgo.mod (MVS)Parsed
crates.ioCargo.tomlCargo.lock (manifest dir or workspace root)Parsed
Mavenpom.xml (<dependencies>)<version> / <properties> (no parent-POM / BOM)Parsed
Gradlebuild.gradle, build.gradle.kts-Not yet
RubyGemsGemfile, Gemfile.lock-Not yet
Packagistcomposer.json, composer.lock-Not yet
NuGet*.csproj, packages.config-Not yet

Maven (pom.xml) is parsed for CVE matching, so a Java / Spring project gets dependency coverage on top of its source analysis. Gradle dependency declarations are not yet parsed: a Gradle project is still detected as Java and scanned for code, but its build.gradle dependencies do not produce CVE findings. Cargo (Rust) and crates.io are dependency-CVE only - they broaden supply-chain coverage without adding Rust source analysis.

The live OSV lookup covers every Parsed ecosystem. Fully offline (VULKRO_OFFLINE=1) matching additionally needs that ecosystem's file in the local CVE bundle; the default bundle ships npm + PyPI, and a wider bundle can be built to include Go, Maven, and crates.io. Go, Cargo, and Maven findings are not in the reachability call-shape set, so they are emitted without a [reachable] / [unreachable] tag. Secrets, IaC, and container scanning run on every repo.

Linux distro packages (container scanning)

For vulkro container against Docker images: Alpine, Debian, Ubuntu, Rocky Linux. Distro coverage is opt-in because the per-distro CVE feed is large; enable it with the container ecosystem flag on vulkro update.

Infrastructure-as-code

Vulkro statically analyses these formats for misconfiguration:

  • Terraform (*.tf)
  • Kubernetes manifests (*.yaml)
  • Helm charts (values.yaml, templates)
  • Docker Compose (docker-compose.yml, compose.yaml)
  • Dockerfiles
  • nginx, Apache (nginx.conf, *.conf)

Secrets scanning (vulkro scan --scope src) and infrastructure misconfiguration checks work on any text-based file, regardless of language.

What "not yet supported" means in practice

If your stack uses a language or framework that is not on the lists above:

  • Endpoint discovery will not enumerate your routes automatically.
  • Taint analysis will fall back to generic sources / sinks and may miss framework-specific patterns.
  • Reachability gating will be less precise: findings tagged reachable are conservatively over-reported rather than missed.
  • Secrets, dependency-CVE, IaC, and container scans are unaffected and continue to work.

The honest read: Vulkro is most accurate on the stacks listed here. We add new frameworks every release based on what paying customers ship.