Vulkro vs Bearer
Bearer is the SAST tool that made "data-flow first" a category. Instead of CVSS-ordered findings, Bearer scores by the sensitive data type a vulnerability touches: PII, PHI, payment data, and so on. That framing is genuinely useful, and a deliberate influence on how Vulkro thinks about privacy-class findings.
So when do you pick Vulkro over Bearer?
At a glance
| Vulkro | Bearer CLI | Bearer Pro | |
|---|---|---|---|
| License | Closed-source detectors. Free tier, or Pro per-term, no auto-renewal | Elastic License 2.0 (free in-house) | Commercial; ELv2 with hosted-service restriction |
| Runs where | Your machine | Your machine | Your machine / cloud |
| Source code uploaded | Never | Never | Never (claims) |
| Telemetry | None | Opt-out | Opt-out |
| Languages | Python, JS/TS, Go, Ruby, Java/Kotlin, C#, PHP, Apex | Go, Java, JS, TS, PHP, Python, Ruby | + C#, Kotlin, Elixir, VB.Net |
| Cross-file taint | Yes (default) | Limited | Yes (Pro) |
| Privacy / PII detection | Yes (security::pii, security::phi) | Yes (120+ data types; flagship feature) | Same + advanced GDPR reports |
| CVE / SCA matching | Local bundle in same scan | Separate; needs SCA tier | Same |
| API Top 10 + LLM | OWASP API:2023 + LLM 01/06 | API security via rules | Same |
| Public benchmark | Yes (reproducible) | Internal claims | Internal claims |
Benchmark numbers
| Vulkro | Bearer 2.0 | |
|---|---|---|
| Precision (how few false alarms) | leads | varies |
| Catch rate (how many real bugs found) | leads | varies |
| Overall accuracy score | leads | varies |
(Locked numbers ship in the public changelog on each release. You
can reproduce them yourself with bench/comparison/run.sh --tier1 --tools vulkro,bearer.)
The architectural distinction
Both tools take a "never upload source" stance, so the split is narrower than vs Semgrep AppSec Platform or Snyk. The decision hinges on:
-
License model. Bearer CLI is Elastic License 2.0: free for in-house use; you can't offer Bearer as a hosted service to third parties. Bearer Pro adds an explicit commercial license for that case. Vulkro is closed-source detectors with a Free tier and a Pro tier: Free is permanent and needs no card; Pro is a $19 monthly or $149 annual pass that expires (instead of auto-billing) and then drops back to the Free tier.
-
Coverage shape. Bearer is data-type-first; the rule pack is organised around what the code TOUCHES (
email,phone,health record). Vulkro is OWASP-API-first; the rule pack is organised around what the code EXPOSES (BOLA, BFLA, mass assignment, SSRF, etc.). Both surfaces matter; pick the one that matches your team's mental model. -
Verification surface. Vulkro publishes the benchmark harness and the ground-truth corpus (
bench/comparison/ groundtruth/). Bearer's precision numbers come from internal measurement that isn't externally reproducible.
When to pick Bearer
- Your audit posture is data-protection-first — GDPR, CCPA, HIPAA reports are the deliverable.
- You have a Ruby / Elixir / VB.Net codebase Bearer Pro covers but Vulkro doesn't.
- You're comfortable with ELv2 license terms (free in-house, paid if you re-host).
When to pick Vulkro
- Your audit posture is OWASP-API-first, with privacy as one of several axes (Vulkro emits PII/PHI findings, just not as the organising principle).
- You want CVE / SCA in the same scan rather than a separate Bearer tier.
- You're auditing an Apex / Salesforce codebase (Bearer doesn't cover Apex; Vulkro does).
- You want a per-term license that doesn't auto-renew (and drops to a working Free tier on expiry, instead of going dark): the contrast with SaaS billing is a positioning advantage when your procurement team has been burned by renewal surprises.
What we kept from Bearer's playbook
Two ideas in Bearer are good enough to take inspiration from:
- Data-flow priority on PII findings. Vulkro's
security::piiandsecurity::phidetectors emit findings whose severity is shaped by the data type, mirroring Bearer's data-flow-first approach for that specific category. - Per-finding confidence and remediation text. Bearer's
compact remediation snippets influenced how Vulkro renders
vulkro explain <ID>output.
The credit lines up; the moat is elsewhere (CVE bundle, OWASP API completeness, reproducible benchmark, no-auto-renewal license).
Try both side by side
# In your project root:
vulkro scan . --format sarif > vulkro.sarif
bearer scan . --output bearer.sarif --report security
# Diff in your favourite SARIF viewer.
Both tools emit SARIF; GitHub Code Scanning ingests either format.
See also: Vulkro vs Semgrep, Vulkro vs Snyk, Vulkro vs CodeScan, Safety, CVE bundle changelog.