Vulkro for Salesforce vs the SF security tools

Code and posture in one offline binary.

Code SAST tools (PMD, sfdx-scanner, Clayton, CodeScan) do not do org posture. SSPM tools (AppOmni, Obsidian, Adaptive Shield) do not read your code. Vulkro for Salesforce does both, plus identity, Connected Apps, and Agentforce, in one local scan.

Compared against PMD / sfdx-scanner (Salesforce-mandatory), Clayton, CodeScan / AutoRABIT, AppOmni, and Obsidian Security.

Apples to apples.

12 categories, six tools. "Partial" means the tool covers a meaningful subset; "No" means the tool does not target that surface at all. Detailed methodology on /sf/docs/methodology.

	Vulkro for SF	PMD	CodeScan	AppOmni	Obsidian
Apex / LWC / Aura / Visualforce / Flow code	Yes	Partial (PMD rules)	Yes	No	No
Org posture (SecuritySettings, sharing)	Yes	No	Partial	Yes	Yes
Identity (Profile + PermSet over-privilege)	Yes	No	No	Yes	Yes
Connected App OAuth posture	Yes	No	No	Partial	Partial
Agentforce ForcedLeak (CVSS 9.4) detector	Yes	No	No	Partial	No
AppExchange Security Review report	Yes (HTML)	No	No	No	No
Salesforce Well-Architected anti-patterns	AP-001 to AP-014	Partial	Partial	No	No
Source upload required	No	No	Yes	n/a (SSPM)	n/a (SSPM)
Offline / on your machine	Yes	Yes	No	No (hosted SaaS)	No (hosted SaaS)
Continuous monitoring	No (point-in-time)	No	No	Yes	Yes
AppExchange submission focus	Yes	Partial	Partial	No	No

Three categories, three trade-offs.

Each card says what the category gives up and what it does better than us. Honest beats hyperbole.

Code SAST

PMD, sfdx-scanner, Clayton, CodeScan.

The code-SAST category covers Apex linting, the PMD ruleset, ESLint LWC rules, and (in the SaaS variants) deeper data-flow analysis. None of them cover org posture, identity, Connected Apps, or Agentforce. For an AppExchange submission that needs the full reviewer-checklist coverage, the SAST category is one slice of the answer.

Honest Where they win: PMD and sfdx-scanner are Salesforce-mandatory. Clayton has the polished IDE feedback loop. CodeScan has the AutoRABIT-backed deployment integration. Vulkro complements them; it does not replace PMD inside the AppExchange submission pipeline.

SSPM

AppOmni, Obsidian, Adaptive Shield.

Salesforce Security Posture Management products connect via OAuth and watch posture, identity, and third-party drift continuously. They are the leading category for ongoing enterprise monitoring. They do not read your code: Apex, LWC, Aura, Visualforce, and Flow are out of scope by design.

Honest Where they win: 24/7 monitoring, an enterprise security team workflow, alert routing into the SOC. Vulkro is a point-in-time tool that fits ISV submission and consultancy engagement; SSPM fits ongoing enterprise security. The two categories coexist.

Vulkro for Salesforce

Code + posture + identity + Connected Apps + Agentforce, offline.

One offline binary, five pillars, point-in-time scan against the source on your laptop or a connected org. The AppExchange Security Review readiness report is checklist-aligned to the published reviewer rubric. The Connected App OAuth posture detectors are anchored to the 2025-26 Drift / Gainsight breach class. The Agentforce ForcedLeak detector is anchored to the documented CVSS 9.4 class-bypass vector.

Honest Where we do not pretend to win: no continuous SOC monitoring, no hosted SaaS, no 24/7 alert pipeline. For an enterprise running ongoing posture monitoring across hundreds of orgs, SSPM is the right product shape.

Coming from one of these?

Pick your current tool. Get a one-line mapping for each common workflow, plus the honest note where we do not replace it.

PMD stays mandatory for AppExchange. Vulkro layers on top.

PMD / sfdx-scanner workflow	Vulkro for Salesforce equivalent
`sfdx scanner:run --target ./force-app`	`vulkro-sf scan ./force-app`
`PMD security-only rules`	`vulkro-sf scan + native CRUD/FLS taint`
`Manual AppExchange checklist review`	`vulkro-sf appexchange-report -o readiness.html`
`No org-posture coverage`	`vulkro-sf org status / perms / packages`

Community

Not ready to switch yet?

Subscribe on Substack or follow r/vulkro. We post new SF detectors, breach-class advisories, and AppExchange-readiness updates the moment they ship.

Substack

Subscribe once, get two things: the weekly CVE + release digest in your inbox, and access to the live chat where in-between things land (detector ideas, weird findings, release heads-ups).

Subscribe + join chat

Public community at r/vulkro. Bug reports, scan-result war stories, CVE chat, AppSec questions. No email required, indexed by Google so threads stay useful.

Open r/vulkro

Email

Bug reports, install help, billing questions. One human reads every message. No web form, no chatbot, no AI summariser.

Email support

Run both. See what each one finds.

Vulkro for Salesforce coexists with PMD (which stays mandatory for AppExchange) and is a sibling, not a replacement, to SSPM. Install vulkro-sf, run it against the same project, and compare what each scanner reports.

Install vulkro-sf Read the methodology