Vulnera - Modular Vulnerability Analysis Platform
Vulnera is an API-first, self-hosted security platform built in Rust for multi-ecosystem vulnerability analysis. It combines four purpose-built detection modules under a single orchestrator with kernel-level sandboxing, a typed job pipeline, and optional LLM enrichment.
All core analysis - SAST, secrets detection, and API security - runs fully offline. Dependency CVE lookups require network access to OSV, NVD, and GHSA. LLM enrichment requires network access to the configured provider.
Key differentiators:
- Rust-native performance - no GC pauses, lock-free caching
- Landlock kernel sandboxing - not containers, the actual Linux kernel
- Transparent auditable rules - TOML rule packs you can read and modify
- Targets small teams and pre-production workflows first
- Built for the AI-generated code era - catches vulnerabilities at the speed of AI-generated code
The Four Analysis Modules
| Module | Method | Coverage | Offline? |
|---|---|---|---|
| SAST | Tree-sitter AST + inter-procedural taint analysis | Python, JavaScript, TypeScript, Rust, Go, C, C++ | ✅ Yes |
| Secrets Detection | Entropy + pattern matching | All text files | ✅ Yes |
| API Security | Rule-based OpenAPI spec analysis | OpenAPI 3.0 / 3.1 | ✅ Yes |
| Dependency Analysis | CVE lookup (OSV - NVD - GHSA) | npm, PyPI, Cargo, Maven/Gradle, Go, Composer, Bundler, NuGet | ❌ No |
LLM enrichment (Gemini, OpenAI, Azure) is an optional post-processing pass - it adds explanations and fix suggestions to existing findings but is never part of detection.
Documentation Structure
Getting Started
Role-based quick-start guides:
- Developer Quick Start - run your first scan locally in under 5 minutes
- DevSecOps Quick Start - CI/CD integration, team setup, policy gates
- Cloud Engineer Quick Start - repository scanning, S3 buckets, infrastructure
Analysis Capabilities
- Overview - module selection, offline vs. online, unified finding schema
- AI-Assisted Code Analysis (SAST) - detection methods, language coverage, taint analysis internals
- AI-Assisted Secret Detection - entropy thresholds, baseline support, Git history scanning
Module Reference
- Dependency Analysis - ecosystem coverage, lockfile strategy, version recommendations
- SAST - supported languages, rule packs, confidence scoring
- Secrets Detection - detection methods, secret types, baselines
- API Security - analysis categories, OAuth/OIDC checks, strict mode
AI-Powered Features
- LLM Explanations & Auto-Fixes - provider setup, quotas, caching
Dashboard & Web Platform
- Dashboard Guide - web UI overview
- Organization Management - teams, members, shared quota
- Team Collaboration - workflows for security teams
Reference
- Configuration - environment variable reference with defaults
- System Architecture - DDD layering, composition root, cache architecture
- Orchestrator Observability - job lifecycle event model, instrumentation strategy
- FAQ - quota, offline capabilities, false positives, troubleshooting
Offline vs. Online Boundaries
Fully offline (no network required):
- SAST
- Secrets Detection
- API Security
Requires network:
- Dependency Analysis (OSV/NVD/GHSA lookups)
- LLM enrichment (explanations and fixes)
Self-Hosting
The server is a single Rust binary backed by PostgreSQL and optionally Dragonfly/Redis.
Minimum requirements:
- Rust 1.92+ (build only)
- PostgreSQL 12+
- Linux 5.13+ recommended (for Landlock sandbox; process isolation fallback works on older kernels)
export DATABASE_URL='postgresql://user:pass@localhost:5432/vulnera'
sqlx migrate run
cargo run
Full configuration reference: Configuration
License
Server and all analysis modules: AGPL-3.0-or-later
CLI, Advisors, LSP Adapter: AGPL-3.0-or-later (see each workspace’s LICENSE file)
Contributing
See the project README for the contribution guide, roadmap, and high-impact areas open for community work.