Skip to main content

Many client orgs, one laptop, zero uploaded code.

Salesforce consultancies audit client orgs constantly: pre-engagement discovery, mid-engagement health checks, post-engagement handoffs, compliance evidence packs for regulated clients. The market default for this is a hosted SaaS scanner (CodeScan, Clayton) that uploads your client's code to a third-party service.

Vulkro flips the model: one laptop, any number of Salesforce orgs, fully offline, and your client code never leaves the consultant's machine.

What you get per engagement

  1. Per-org HTML compliance reports. Run vulkro portfolio engagement-bundle <parent-dir> -o report.zip against a directory that contains every client SFDX project you manage. The output is one zip with one HTML report per client org plus an index page summarising NIST 800-53 and SOC 2 pass/fail status per org. Hand the zip directly to the client.

  2. CRUD/FLS taint findings across class boundaries. Vulkro's Apex engine builds an intra-class and cross-class call graph and resolves enforcement and data-op reach. A method that delegates its FLS check to a private helper is no longer a false positive; a method whose DML lives in a callee class is now caught.

  3. AppExchange Security Review readiness report. For ISV clients, vulkro-sf appexchange-report renders the same reviewer-checklist mapping. Bring it to the kickoff for any client planning a managed-package submission.

  4. Full Salesforce coverage. Visualforce (escape="false" reflected merge fields, dynamic includeScript), metadata (profile over-privilege, named credentials, connected app OAuth scopes), Flow (system-context DML, hardcoded IDs), and PII mapping for the standard SObjects (Account, Contact, Lead, Opportunity, Case, User).

  5. Cloud-specific detectors beyond core CRM. Clients on B2C Commerce, Marketing Cloud, Health Cloud, FSC, CRM Analytics, Salesforce Functions, or Heroku Connect get cloud-specific rules that activate on markers in the project root, so a vanilla Apex / LWC org never pays the walk cost. Per-cloud rules: B2C Commerce | Marketing Cloud | Industries Clouds (Health + FSC) | CRM Analytics | SF Functions | Heroku Connect. Plus the PMD-for-Apex / ESLint LWC / RetireJS wrappers as a one-shot sfdx-scanner replacement.

  6. Live-org posture audits you can track across the engagement. Connect a client org through the consultant's own sf CLI login (read-only, metadata only, the OAuth token stays in the CLI, no business records) and the desktop console audits identity and permission over-privilege, Connected App OAuth posture, installed packages, Agentforce, and SecuritySettings hardening (session timeout, IP binding, clickjack, CSRF, password policy). Each audit is a point-in-time snapshot, so a mid-engagement re-audit diffs what changed since discovery (what is NEW and what was RESOLVED) and proves the remediation to the client without re-reading a line of their code. See live-org setup.

Multi-org without uploading any of it

Vulkro for Salesforce runs entirely on the consultant's laptop and scans any number of client SFDX projects checked out there. There is no per-org gate inside the engine; the consultant rotates through clients as the engagements land.

VULKRO_OFFLINE=1 enforces zero network calls at the process boundary if a client contract requires it. The CVE bundle lives in the binary; updates ship through a separate signed download that you control the timing of.

Why offline matters here

Every client engagement starts with an NDA. Many of those NDAs forbid sending client code to "third-party services" or "external data processors." A SaaS code scanner is exactly the kind of processor procurement teams are getting trained to flag.

Vulkro is a single static binary. No telemetry, no upload, no account, no cloud LLM. Your consultant reads the report, fixes the client's code, writes the deliverable, deletes the local checkout. The audit tool was never a data processor.

Compare with the alternatives

  • vs CodeScan: the most common direct comparison.
  • vs Snyk: if you have clients pushing SaaS scanners on you.
  • vs Semgrep: the open-source angle.

Ready to discuss your engagement model?

Email [email protected]

Tell us your consultancy name and roughly how many client orgs you audit in a year. We reply within one business day.