Vulnera — Modular Vulnerability Analysis Platform
Vulnera is an open-source, async Rust platform for multi-ecosystem vulnerability analysis. It combines four purpose-built detection modules under a single orchestrator with sandboxed execution, a typed job pipeline, and optional LLM enrichment.
All core analysis — SAST, secrets detection, and API security — runs fully offline. Dependency CVE lookups require network access to OSV, NVD, and GHSA. LLM enrichment requires network access to the configured provider.
The Four Analysis Modules
| Module | Method | Coverage | Offline? |
|---|---|---|---|
| Dependency Analysis | CVE lookup (OSV · NVD · GHSA) | npm, PyPI, Cargo, Maven/Gradle, Go, Composer, Bundler, NuGet | ❌ No |
| SAST | Tree-sitter AST + inter-procedural taint analysis | Python, JavaScript, TypeScript, Rust, Go, C, C++ | ✅ Yes |
| Secrets Detection | Regex + entropy detection | All text files | ✅ Yes |
| API Security | Rule-based OpenAPI spec analysis | OpenAPI 3.0 / 3.1 | ✅ Yes |
LLM enrichment (Google Gemini, OpenAI, Azure OpenAI) is an optional post-processing pass — it adds explanations and fix suggestions to existing findings but is never part of detection.
Documentation Structure
Getting Started
Role-based quick-start guides:
- Developer Quick Start — run your first scan locally in under 5 minutes
- DevSecOps Quick Start — CI/CD integration, team setup, policy gates
- Cloud Engineer Quick Start — repository scanning, S3 buckets, infrastructure
Analysis Capabilities
- Overview — module selection, offline vs. online, unified finding schema
- AI-Assisted Code Analysis (SAST) — detection methods, language coverage, taint analysis internals
- AI-Assisted Secret Detection — entropy thresholds, baseline support, Git history scanning
Module Reference
- Dependency Analysis — ecosystem coverage, lockfile strategy, version recommendations
- SAST — supported languages, rule packs, confidence scoring
- Secrets Detection — detection methods, secret types, baselines
- API Security — analysis categories, OAuth/OIDC checks, strict mode
AI-Powered Features
- LLM Explanations & Auto-Fixes — provider setup, quotas, caching
Dashboard & Web Platform
- Dashboard Guide — web UI overview
- Organization Management — teams, members, shared quota
- Team Collaboration — workflows for security teams
Reference
- Configuration — environment variable reference with defaults
- System Architecture — DDD layering, composition root, cache architecture
- Orchestrator Observability — job lifecycle event model, instrumentation strategy
- FAQ — quota, offline capabilities, false positives, troubleshooting
Offline vs. Online Boundaries
Fully offline (no network required):
- SAST
- Secrets Detection
- API Security
Requires network:
- Dependency Analysis (OSV/NVD/GHSA lookups)
- LLM enrichment (explanations and fixes)
Self-Hosting
The server is a single Rust binary backed by PostgreSQL and optionally Dragonfly/Redis.
Minimum requirements:
- Rust 1.91+ (build only)
- PostgreSQL 12+
- Linux 5.13+ recommended (for Landlock sandbox; process isolation fallback works on older kernels)
export DATABASE_URL='postgresql://user:pass@localhost:5432/vulnera'
sqlx migrate run
cargo run
Full configuration reference: Configuration
License
Server and all analysis modules: AGPL-3.0-or-later
CLI, Advisors, LSP Adapter: AGPL-3.0-or-later (see each workspace’s LICENSE file)
Contributing
See the project README for the contribution guide, roadmap, and high-impact areas open for community work.