Vulkro vs Semgrep
If you are choosing a security scanner for a codebase that AI assistants now write much of, two questions come before any feature list: where does your code go when the tool runs, and does the tool give the same answer twice. This page compares Vulkro and Semgrep on both, then on a published benchmark you can rerun.
Two things separate Vulkro from Semgrep CE, and they are the two things this page leads with:
- Your source code never leaves your machine. Vulkro is a single binary and every scan runs locally. No upload, no cloud step, ever; the only thing that crosses the wire is a minimal account entitlement check that never sees code or findings.
- It beats Semgrep CE on a published, reproducible benchmark. On our published corpus Vulkro found 2.9x more catalogued bugs than Semgrep CE (44 vs 15) at higher precision (0.81 vs 0.62), in less total scan time (34.4s vs 38.6s). The harness, the corpus, and the scoring code are all public, so you can re-run it yourself.
Semgrep is the most widely deployed static analysis tool in its space. It's well-engineered, has thousands of community rules, and runs in pre-commit hooks across half the ecosystem. The honest framing is that the two tools target different points in the build / privacy / accuracy trade-space. This page makes the distinction concrete.
At a glance
| Vulkro | Semgrep CE | Semgrep AppSec Platform | |
|---|---|---|---|
| License | 14-day trial on first sign-in; licenses issued directly by our team | Free (LGPL 2.1) | SaaS, per-developer subscription |
| Runs where | Your machine | Your machine | Your machine OR Semgrep cloud |
| Source code uploaded | Never | Not in CE | When using cloud features (configurable) |
| Deep-analysis languages | JavaScript/TypeScript, Python, Go, and Java (Spring, new) | Many languages, single-file scope | Many languages (Pro engine) |
| Cross-file analysis | Yes | No (single-file scope) | Yes (Pro engine) |
| Telemetry | Six usage fields: product, install id, version, operating system, timestamp, and a scan counter. Never code or findings | Opt-out anonymous usage | Yes, in cloud tier |
| Rule authoring | YAML (regex or AST mode) | YAML (code-like patterns) | Same as CE + cloud-managed packs |
| Custom-rule reuse | Semgrep YAML import shim | Native | Native |
| CVE / SCA matching | Local CVE bundle (OSV+NVD+KEV+EPSS) | Separate semgrep supply-chain tier | Cloud-side |
| OWASP API Top 10 coverage | All 10 + LLM 01/06 | Community rules; coverage varies | Same + curated packs |
Benchmark numbers
Measured on our published corpus, July 2026: 15 deliberately vulnerable public codebases with 90 catalogued bugs, of which 76 sit in the languages the benchmarked release analyzes deeply (JS/TS, Python, Go). Scored at Vulkro's default high-confidence setting. Same machine, same pinned commits, same scoring for every tool.
| Vulkro | Semgrep CE 1.136.0 | |
|---|---|---|
| Catalogued bugs found (of 76) | 44 | 15 |
| Precision (how few false alarms) | 0.81 | 0.62 |
| Recall (how many real bugs found) | 0.58 | 0.20 |
| F1 score (overall accuracy) | 0.68 | 0.30 |
| Total scan time | 34.4s | 38.6s |
One honesty note: in July 2026 we grew our own ground truth from 69 to 90 catalogued bugs and published the recall drop that came with it. The corpus is versioned and the numbers regenerate from one command.
$ bench/comparison/run.sh --tier1 --tools vulkro,semgrep · scores: bench/comparison/scorecard-high.md
The harness (bench/comparison/) and the ground-truth corpus
(bench/comparison/groundtruth/) are public, so the numbers above
are not vendor claims: clone the corpus, run the same commands, and
get the same figures. The locked numbers matching each release are
published in the product changelog.
The architectural distinction
The split between Vulkro and Semgrep CE is where the analysis runs and what data leaves the machine:
- Vulkro: detection engine + CVE bundle live on the same
machine that holds the source.
VULKRO_OFFLINE=1enforces this at the process boundary (air-gapped machines pair it with a license file). The default network calls arevulkro update(signed bundle fetch fromdist.vulkro.com) and a daily entitlement check that carries six usage fields (product, install id, version, operating system, timestamp, and a scan counter), never code. - Semgrep CE: same posture in default mode. Source stays local. The CE binary doesn't phone home for findings, only for opt-out anonymous usage telemetry.
- Semgrep AppSec Platform: source can be uploaded to Semgrep's cloud for the cross-file Pro engine to run, the AI Assistant to triage, or the Supply Chain database to match against. Read Semgrep's terms before pointing the Pro engine at a repo with customer data.
The split between Vulkro and Semgrep AppSec Platform is
a licensed engine with a public benchmark vs
SaaS-managed detectors with vendor-published claims. Vulkro
ships the benchmark harness (bench/comparison/) and the
ground-truth corpus (bench/comparison/groundtruth/); anyone can
reproduce the precision / recall numbers. Semgrep's curated
detection rules are managed in the cloud and not externally
verifiable to the same degree.
Where Semgrep wins
Concessions first, because they are real:
- The rule ecosystem is much bigger. Thousands of community and registry rules against Vulkro's built-in detector set plus a strict YAML import shim. If your detection profile is dominated by language-specific conventions (Python null-check patterns, JS async-handler idioms), Semgrep's community packs have coverage Vulkro does not.
- Custom rule authoring is its core strength. Semgrep's code-like pattern syntax is the best rule-writing experience in the category. Vulkro's custom rules are narrower (regex or AST mode).
- More languages. Semgrep parses far more languages than Vulkro's deep-analysis set (JavaScript/TypeScript, Python, Go, and Java (Spring)).
- It already runs everywhere. If your team has invested in Semgrep CI wiring and authored rules, that investment is a real switching cost.
When to pick Vulkro
- Your data-handling policy or contract forbids source upload to any third party, including for "evaluation" or "optional cloud features" tiers.
- You want CVE / SCA coverage in the same scan as SAST (one binary, one report, one CI step).
- You need cross-file taint flow as a default (no separate Pro engine to enable).
- You want the OWASP API Top 10 + LLM Top 10 (LLM01 / LLM06) out of the box.
- You want a vendor on the hook without a per-developer seat count. Create an account and your first CLI sign-in starts a 14-day trial of the full product; Vulkro is licensed per seat, directly through our team, at [email protected].
Migration: bring your Semgrep rules to Vulkro
vulkro rules import-semgrep ./semgrep-rules.yaml translates a
strict subset of Semgrep YAML into Vulkro's CustomRule format.
Field-level translation:
id,message,languages,fix→ directseverity: INFO → low, WARNING → medium, ERROR → highmetadata.cwe→ vulkrocwepattern: best-effort regex translation ($IDENT→.+?,...→.*)
Compound shapes (pattern-either, pattern-not, patterns:
AND-composition) are skipped with a per-rule stderr warning
naming the unsupported feature. The full supported grammar is
documented in the product changelog.
Try both side by side
# In your project root:
vulkro scan . --format sarif > vulkro.sarif
semgrep --config p/owasp-top-ten --sarif --output semgrep.sarif
# Diff in your favourite SARIF viewer.
Both tools emit SARIF; GitHub Code Scanning ingests either format. The split-and-compare workflow is the fastest way to see whether Vulkro's defaults match your codebase before you commit to a license.
See also: Vulkro vs Bearer, Vulkro vs Snyk, Vulkro vs Trivy, Compare the scanners, Safety, CVE bundle changelog.