LatestVulkro for Salesforce site is live
Dedicated /sf homepage, /sf/docs methodology, /sf/use-cases for ISVs and consultancies, /sf/compare against PMD, Clayton, CodeScan, AppOmni, Obsidian. Two-product navbar with an app switcher across pages.
Salesforce changelog
Same cadence, one release stream.
Vulkro for Salesforce ships on the same release cadence as the general Vulkro scanner. Both products share one engine; the vulkro-sf binary is a sibling crate that exposes the Salesforce-specific commands (scan, appexchange-report, antipatterns, org). The canonical release notes live on /changelog; the landmark moments for the SF product are highlighted below.
#5AppExchange Security Review readiness HTML report
vulkro-sf appexchange-report groups every finding by the published AppExchange Security Review checklist sections. Reviewer-friendly, hand-off ready.
#4Agentforce ForcedLeak detector (CVSS 9.4)
Two-pass walk that collects .cls source paths plus Apex-backed genAiFunction references, then cross-references each action against its class file and emits a High finding only when "without sharing" is confirmed.
#3Connected App OAuth posture (Drift / Gainsight class)
Five-check posture suite detecting the OAuth token-sprawl class that compromised 700+ orgs via Salesloft Drift and 200+ via Gainsight. Refresh-token co-occurrence flagged at High.
#2Org connector with sf CLI token-handoff
vulkro-sf org status / perms / packages reads metadata through your existing sf CLI login; OAuth tokens stay in the official CLI credential store, not on Vulkro.
#1Methodology page: five-pillar coverage + breach class map
The master reference for what a safe Salesforce app should be. Well-Architected pillars, AppExchange Top-20, 2025-26 breach class map, and the explicit detector-by-detector coverage matrix.
Community
Get notified when an SF release lands.
Subscribe on Substack or follow r/vulkro to hear about new Salesforce detectors, AppExchange report updates, and 2025-26 breach-class advisories the moment they ship.
Substack
Subscribe once, get two things: the weekly CVE + release digest in your inbox, and access to the live chat where in-between things land (detector ideas, weird findings, release heads-ups).
Public community at r/vulkro. Bug reports, scan-result war stories, CVE chat, AppSec questions. No email required, indexed by Google so threads stay useful.
Bug reports, install help, billing questions. One human reads every message. No web form, no chatbot, no AI summariser.
Want to try the current release?
vulkro-sf is a sibling binary on the shared engine. Install it next to the general scanner; the org connector uses your existing sf CLI login.