Your HIPAA, fintech, or legal code never leaves your machine.
Teams in regulated industries now merge AI-written code into the systems a regulator, an auditor, or a customer security review will examine, and none of them care who or what wrote the line. What they ask for is evidence that the code handling regulated data was reviewed for security before release. Vulkro produces that evidence on your machine, without your codebase or your findings ever leaving it.
Healthcare, financial services, legal-tech, and any team handling regulated data has a structural problem with cloud-first SAST. Uploading source code (which by definition references your data models, your access-control logic, and your customer-specific business rules) to a vendor cloud is a data-handling event that your security team, your auditors, and your customers' DPAs will all flag.
The current options are usually:
- Pay enterprise prices for SaaS scanners with a "broker proxy" that mitigates some of the upload while keeping the SaaS control plane.
- Self-host SonarQube, Semgrep Cloud, or CodeQL with all the operational cost (infrastructure, upgrades, on-call).
- Skip SAST and hope the next pen test catches it.
Vulkro is the fourth option: a single static binary that runs on your laptop or your CI runner, never phones home, and produces the compliance evidence your auditor wants to see.
What "offline" means here
| Property | Vulkro | Typical cloud SAST |
|---|---|---|
| Source code uploaded | Never | Yes (some offer encrypted retention) |
| Telemetry | Six usage fields, never code or findings | Mandatory, account-scoped |
| Account required | Yes, but it never sees your code | Yes |
| LLM in the scanner | None | Increasingly common |
| Network at scan time | Not required (scan is local; air-gap supported via license file) | Required |
VULKRO_OFFLINE=1 enforces zero net | Yes | n/a |
| Air-gapped CVE bundle delivery | Available | Limited |
| Vendor SOC 2 + DPA needed | No (source code never shared) | Yes |
The detection engine and the CVE bundle live in the binary. No proxy, no broker, no encrypted tunnel to "scan in the cloud securely." There is nothing in the cloud to scan against.
Compliance mapping and signed evidence packs
Two levels here, both useful at audit time. The 14-day trial and the issued license cover both.
vulkro compliance --profile <name> maps your scan
findings to the controls of a published framework. Supported
profiles (run vulkro compliance --help for the live list):
soc2,iso27001,hipaa(Annex A / Security Rule / Trust Service Criteria)pci(PCI DSS Requirements 6 and 11)nist-ssdf,nist-800-53,staterampgdpr(Article 30 Record-of-Processing alignment)owasp-asvs,cis,cwe-top25
The output is a control-by-control breakdown showing which findings touch which control. Useful pre-audit to know where the gaps are.
vulkro compliance-pack --framework <name> renders a
signed evidence pack for SOC 2, ISO 27001, or HIPAA. The pack
is the artefact you hand to an auditor: control-by-control,
with findings cross-referenced, signed so the auditor can
verify the report was generated against a specific commit.
Separate: GDPR Record of Processing. vulkro scan --format ropa-html (and --format ropa-md) renders an Article 30 RoPA
template populated from the scan's data-flow lineage. Sits
alongside the compliance mapping rather than under it.
Air-gapped deployments
For classified, defense, or fully air-gapped environments:
- The binary is reproducible-builds-friendly (signed releases, hash-pinnable).
VULKRO_OFFLINE=1refuses any network operation, including CVE bundle update checks.- CVE bundles ship as signed
.vkbundlefiles you can sneakernet in on a fresh schedule. - The Web UI desktop console runs entirely on
localhost; no outbound connection.
See the air-gap docs for the full deployment recipe.
Industries we hear from
Healthcare and HIPAA covered entities. EHR vendors, telehealth platforms, billing software, HIPAA-business-associate SaaS. The audit conversation is always "where does the PHI flow." Vulkro's PII and PHI detection plus the data-flow lineage feature gives you that map without uploading the code to a vendor cloud.
Fintech and PCI DSS merchants. Cardholder data flow scoping, crypto weakness audit, hardcoded secret detection, callout-credential review. The PCI DSS 4.0 mapping ships in the scanner.
Legal-tech and attorney-client confidentiality. Doc-review platforms, matter management, e-discovery, litigation analytics. The same property that helps healthcare (no upload) is even more pointed here, where attorney-client privilege is at stake.
Defense and classified environments. Single binary, reproducible, air-gappable (a license file replaces the online account check, and nothing about your code ever leaves the machine). See the air-gap docs.
Salesforce in regulated industries. Healthcare on Health Cloud,
fintech on Financial Services Cloud, patient-segment campaigns in
Marketing Cloud, regulated data bridged into Postgres via Heroku
Connect, and Wave dashboards exposing PII via CRM Analytics are all
covered by the separate Vulkro for Salesforce product (the
vulkro-sf binary), not the general vulkro scanner. See the
Vulkro for Salesforce docs.
Honest scope
Vulkro is a static analyzer, not a certification and not an auditor. The compliance output maps code-level findings to published control frameworks; it does not attest organizational, physical, or process controls, and a clean scan does not make you compliant on its own. It is also not a pentest or a WAF: it reads code, it does not probe or protect running systems.
Licensing
The scanner requires an account, and a 14-day trial of the full product (including the compliance packs: HIPAA, PCI DSS, SOC 2, ISO 27001, NIST 800-53, GDPR RoPA) starts on your first login. Vulkro is licensed per seat, directly through our team, including multi-machine and air-gapped deployments: [email protected].
Read the manifesto for the "we never see your code" decision. See the benchmark for reproducible detection numbers.