Skip to main content

Why this exists

Vulkro exists because every other code-security scanner wants your code on their server. The cloud scanners upload it. The paid tiers of open-source scanners pull it through their cloud. The big enterprise vendors sell you a private instance and then ship telemetry by default with a checkbox buried two settings menus deep.

Your code is full of half-finished ideas, embarrassing comments, customer names in test fixtures, and secrets nobody has rotated yet. None of that needs to live on someone else's hard drive. Not for a free tier, not for a $40-per-seat-per-month tier, not for the privilege of seeing 22% of the bugs.

So Vulkro is a command-line tool. It reads your code on your machine. It never calls home. The Free tier covers what a single developer on one project needs to ship safely: the OWASP API top 10, vulnerable dependencies, leaked secrets, broken auth, injection, the MCP and editor extension audits, and CI-friendly output for GitHub Code Scanning. Pro adds what teams and regulated industries pay for: audit-ready compliance reports, a portfolio view across many projects, more languages, deeper detection, and live API probing, at $19 a month or $149 a year, both one-time payments, no auto-renewal. Both tiers get the same vulnerability database updates on the same schedule. The benchmark is public, the methodology is documented, and you can run the full Pro product for 14 days before paying.

Why offline is the only acceptable default.

Three things happen when a security scanner takes your code into their cloud. First, you are trusting their network security, their employee access controls, and their incident response. Second, you are producing analysis reports that live on their disks indefinitely, which becomes a problem if your customers sue you and that data ends up in discovery. Third, you are feeding their training data, whether or not they are running an AI model today.

None of these are theoretical. The 2023 Codecov breach took CI secrets out of thousands of repositories because a build plugin shipped credentials to a vendor by default. The 2024 Snowflake breach showed that one compromised vendor credential unlocks every customer's data at once. Cloud security tools concentrate risk. They do not reduce it.

The argument for a cloud scanner is convenience. "We do the heavy lifting for you." The honest version is that the vendor needs your code on their servers to bill you for compute and to train next year's product. If the heavy lifting actually had to happen on a remote server, none of the offline scanners (Bearer, Semgrep CE, Brakeman, Bandit) would work.

Vulkro runs on a laptop. The 13-repo benchmark finishes in 104 seconds on a normal developer machine. There is no heavy lifting that requires a data centre.

What we don't collect, and how to verify it.

Vulkro collects nothing. No anonymised usage stats, no error reports, no installation pings, no "anonymous opt-in" anything. The only network call the binary ever makes is to check for a newer release once per machine per day, and that check is documented, opt-out via VULKRO_NO_UPDATE_CHECK=1, soft-fails after a 2-second timeout, and reads exactly one URL: the GitHub Releases atom feed for vulkro.

You don't have to trust this. The binary is statically linked. Run it under strace, dtrace, or your favourite sandbox. The only DNS lookup is api.github.com and only when the cache is older than 24 hours.

VULKRO_OFFLINE=1 removes even that call. With the variable set, vulkro refuses every outbound network operation and returns an error rather than silently fall back to anything.

$ VULKRO_OFFLINE=1 vulkro scan .
[ok] offline mode enforced
[ok] CVE bundle: ~/.vulkro/cve-bundle/ (signed, verified)
[ok] no outbound network calls permitted

Built and supported by humans.

The codebase is roughly 60,000 lines of Rust on tree-sitter. The CVE bundler is a separate Python pipeline. The detectors, the signing infrastructure, the docs, and the website are all maintained by the Vulkro team.

What that means in practice: when you email [email protected], a human reads it. Reply time is usually a day, sometimes faster. There is no Tier 1 routing through a partner support contractor. There is no chatbot. If an answer needs a deeper look, we will tell you, not stall you.

What we commit to.

  • The benchmark stays public. Methodology, labelled examples, scoring code. Re-run any time. If our catch rate or false-positive rate gets worse between releases, file an issue and we will fix it or document why. The detectors themselves are closed (that is the product); the proof that they work is not.
  • Breaking changes get a deprecation window. A CLI flag, a config key, or a JSON field doesn't disappear without a release of warnings.
  • No telemetry, ever. This is the one commitment we will not negotiate. There is no "anonymous opt-in" path on the roadmap.
  • No surprise charges. No auto-renewal, no auto-upgrade, no upsell modal. When your Pro license lapses the CLI prints a one-line note and drops to the Free tier; everything in Free keeps working. Pro features prompt for renewal, nothing hard-blocks. Buy a fresh one-time Pro license if and when you want it back.

And where we're going.

There is an enterprise path on the roadmap, with private rule packs, air-gapped license servers, on-premise CVE mirroring, and SSO. It is still a plan. The shape will be "a heavier license you renew yourself" not "a SaaS console", because nothing about the core product changes when a larger team buys it. If your team needs any of that today, email [email protected] and we'll figure out what works in the meantime. No upsell, no spam, just an honest conversation.

How to reach us.

Newsletter, for the weekly CVE + release digest: vulkro.substack.com
Substack Chat, for in-between threads and live questions: vulkro.substack.com/chat
Reddit, for public Q&A and scan-result discussion: reddit.com/r/vulkro
Bug reports, install help, "I think this finding is wrong": [email protected]
Sales, custom quotes, air-gapped deployments: [email protected]
License transfers, invoices, refund questions: [email protected]

No web form. No AI. No chatbot. Email and the chat threads are the API.

Data residency

Vulkro runs on your laptop, in your CI, or on an air-gapped server. No source upload, no telemetry, no cloud LLM. Vulnerability intelligence arrives as signed offline bundles you can deliver by USB, mirror, or internal package feed.

0
Outbound calls

No telemetry, no LLM API, no phone-home.

100%
On your hardware

Laptop, build host, or air-gapped server.

ed25519
Signed updates

CVE feeds and rule packs arrive as cryptographically signed bundles.

Built for regulated industries

Finance, healthcare, defence, government. Anywhere "code uploaded to a third-party SaaS" is a non-starter.

Tamper-evident updates

Every CVE bundle and rule pack is cryptographically signed. Tampered files are rejected at load time.

Deterministic and reproducible

Run the same scan twice, get the same findings. Your backlog does not shift overnight. Auditors love this.

How offline mode works →

Community

Read this far? Stay in sync.

Three channels to follow what we ship, what we are working on, and what we are seeing in the wild. Pick the one that already fits your workflow.

Substack

Subscribe once, get two things: the weekly CVE + release digest in your inbox, and access to the live chat where in-between things land (detector ideas, weird findings, release heads-ups).

Subscribe + join chat

Reddit

Public community at r/vulkro. Bug reports, scan-result war stories, CVE chat, AppSec questions. No email required, indexed by Google so threads stay useful.

Open r/vulkro

Email

Bug reports, install help, billing questions. One human reads every message. No web form, no chatbot, no AI summariser.

Email support

Read this far? Try it.

14 days of full Pro on your laptop, then it drops to Free and keeps running. Install in 60 seconds, no card, no account.

Install VulkroSee the benchmark