Frequently Asked Questions (FAQ)

Quick answers to common questions about Vulnera’s features, capabilities, and usage.

Quota & Rate Limiting

How much does analysis cost in tokens for Enterprise users?

Each operation consumes tokens from your daily quota:

Operation	Cost
Basic analysis	3 tokens
LLM explanation	6 tokens
Code fix generation	6 tokens
LLM query	6 tokens

Example: A full analysis (3) + 2 LLM features (12) = 15 tokens total.

Reference: Quota & Pricing Guide

What’s the difference between API key tier and organization tier?

Tier	Daily Limit	Use Case
Unauthenticated	10 tokens	Testing, no auth
API Key	40 tokens	Single integration
Organization	48 tokens	Team usage, shared quota

Team quota pools together: If an org has 5 members, all members share the 48-token daily limit (no per-member quota).

Can I increase my quota?

Yes. Options:

Organization tier - Upgrade to shared team quota (100 tokens/day)
Premium plan - Contact vulnera for higher limits
On-premise - Deploy Vulnera privately with unlimited quota

What happens when I exceed my quota?

You receive a 429 Too Many Requests error:

Quota resets at 00:00 UTC every day.

Offline Capabilities

What can Vulnera analyze offline (without internet)?

Module	Offline	Notes
SAST	✅ Yes	AST pattern matching (Python, JS, Rust)
Secrets	✅ Yes	Entropy + pattern matching + AST context
API	✅ Yes	OpenAPI schema analysis
Dependencies	❌ No	Requires CVE database
LLM	❌ No	Requires Gemini/OpenAI/Azure API

CLI offline scan:

vulnera analyze --source ./my-project --modules sast,secrets,api
# No internet required

Can I use Vulnera without an internet connection?

Partial. The CLI can run offline scans for SAST, Secrets, and API analysis. Dependency scanning requires internet (to fetch CVE data from registries).

Analysis Accuracy & False Positives

Why do I have false positives in secret detection?

Common causes:

Test/example secrets - Hardcoded in docs or tests
- Fix: Mark as .vulnera-ignore or use entropy baseline filters
Placeholder values - Keys like YOUR_API_KEY_HERE
- Fix: Entropy score filters exclude most placeholders
High-entropy strings - Random tokens in logs
- Fix: Configure entropy thresholds per secret type

False positive rate: <5% for high-confidence secrets (AWS keys, private certs)

Reference: Secrets Detection

How accurate is SAST analysis?

Detection rates:

Vulnerability	Confidence	False Positives
SQL Injection	95-98%	<3%
Cross-Site Scripting (XSS)	93-97%	<4%
Command Injection	92-95%	<5%
Hardcoded Secrets	98%+	<2%

Limitation: Cannot detect business logic flaws or complex multi-step attacks .

Why didn’t Vulnera detect a vulnerability I know exists?

Possible reasons:

Dynamic code patterns - Code generated at runtime
- SAST analyzes static AST; runtime patterns require dynamic analysis “next step In roadmap”
Complex data flow - Multi-step taint chains
- Default taint depth is 3 hops; increase with --taint-depth=5
Custom sanitizers - User-defined security functions not recognized
- Configure in .vulnera.toml under sast.custom_sanitizers
False negative filtering - Some detections suppressed to reduce noise
- Enable with --analysis-depth=full

Reference: SAST Analysis

Detection vs. LLM Features

What’s the difference between rule-based detection and LLM features?

Aspect	Detection Models	LLM Features (Explanation)
Purpose	Find vulnerabilities	Explain & fix vulnerabilities
Technology	Pattern matching, AST parsing, entropy	Google Gemini, OpenAI, Azure
Speed	<1 second	3-10 seconds
Offline	Yes	No
Cost	3 tokens	6 tokens
Deterministic	Yes – same input = same output	No – may vary slightly

Are detection models proprietary?

Detection models (SAST, Secrets, API) are rule-based and open-source:

SAST: tree-sitter AST patterns (GitHub open-source)
Secrets: Entropy + regex patterns (no ML fingerprints)
API: OpenAPI schema validation (OWASP standards)

LLM explanations use Google Gemini, OpenAI, or Azure.

Can I use Vulnera without LLM features?

Yes. All detection modules work offline:

vulnera analyze --source . --modules sast,secrets,api,dependencies
# No LLM explanations, but full analysis completed

LLM is optional for:

Explanations (vulnera explain-finding <id>)
Code fixes (vulnera generate-fix <id>)
Natural language queries (vulnera query "How do I...?")

Customization

Can I filter out certain secret types?

Yes:

# .vulnera.toml
[secrets]
ignored_patterns = [
  "GITHUB_TOKEN_PLACEHOLDER",  # Exact string match
  "^test_.*",                   # Regex patterns
]

# Or ignore by file
ignored_files = [
  "docs/examples.md",
  "tests/fixtures/**"
]

Command line:

vulnera analyze . --secrets-ignore-patterns="test_,example_"

Integration

How do I integrate Vulnera into GitHub Actions?

name: Security Scan
on: [push, pull_request]

jobs:
  vulnera:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: vulnera-dev/vulnera-action@v1
        with:
          api-key: ${{ secrets.VULNERA_API_KEY }}
          analysis-depth: standard
          fail-on-severity: high

Reference: DevSecOps Quick Start

Can I scan S3 buckets?

Yes:

vulnera analyze --source s3://my-bucket/project \
  --aws-credentials-from-env

Requirements:

AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY environment variables
S3 bucket must have read access

Reference: Cloud Engineer Quick Start

Does Vulnera support enterprise deployments?

Yes, three options:

SaaS (api.vulnera.studio) - Fully managed
Self-hosted Docker - On your infrastructure
Kubernetes helm chart - Enterprise clusters

Reference: Architecture - Deployment Models

Performance

How long does analysis take?

Typical times (standard depth):

Source	Size	Time
Small repo (5K LOC)	<1 MB	2-5 sec
Medium repo (50K LOC)	5-10 MB	10-30 sec
Large repo (800K LOC)	50-100 MB	1-5 min

Optimization:

# Faster (minimal depth)
vulnera analyze . --analysis-depth=minimal  # 2-3 sec

# Slower (full depth)
vulnera analyze . --analysis-depth=full     # +2-3x time

Can I parallelize scanning?

Yes:

# Scan 10 repos in parallel
for repo in repo1 repo2 ... repo10; do
  vulnera analyze $repo --source-type=git &
done
wait

Concurrency limits:

CLI: Unlimited (your machine)
API: 50 concurrent jobs per organization
Jobs queued beyond limit; respects rate limit

Organization & Teams

Create organization:
```
vulnera org create "My Team"
```

Invite members:

vulnera org members add teammate@company.com --role=analyst

Run scan under organization:

vulnera analyze . --org-id=<org-id>
# Results visible to all org members

Reference: DevSecOps Quick Start

What are organization roles?

Role	Permissions
Owner	Create/delete org, manage all settings, view all results
Admin *	Invite members, configure scanning policies, view analytics
Analyst *	Run scans, view results, generate reports
Viewer	View results only, read-only access

Troubleshooting

Vulnera says “API Key not found” but I set VULNERA_API_KEY

Check:

echo $VULNERA_API_KEY  # Verify variable is set
vulnera auth status   # Check authentication

Possible causes:

API key is revoked
API key doesn’t have required organization access
Environment variable not exported (use export VULNERA_API_KEY=...)

Analysis returns empty results but I expect findings

Check:

Verify modules are enabled:

vulnera analyze . --modules=all --verbose
# Should list sast, secrets, api, dependencies

Lower analysis depth:

vulnera analyze . --analysis-depth=full  # More aggressive

Check file filter:

vulnera analyze . --include-files="**/*.py,**/*.js"

LLM explanations are slow or timing out

Solutions:

Increase timeout: vulnera config set llm.timeout=60
Use organization tier for higher concurrency
Request explanations asynchronously: vulnera explain --async

Dashboard & Web Platform

What is Vulnera Studio?

Vulnera Studio is the enterprise-managed SaaS platform for Vulnera. It provides:

Personal Dashboard - View your scans and findings
Organization Management - Team collaboration with shared quotas
API Key Management - Generate keys for CLI and API access
Integrations - Connect GitHub, GitLab, Slack, webhooks
Analytics & Reporting - Track team metrics and generate compliance reports
Billing Management - Manage subscriptions

Status: Vulnera Studio is planned for post-1.0 release. Currently, the Community Edition provides a full self-hosted server with web UI at no cost.

Current alternative: Deploy the Community Edition server locally - it includes the same web UI, API, and analysis capabilities.

Reference: Dashboard Guide

How do I create an organization?

Step-by-step (Self-hosted server):

Access your Vulnera server at http://localhost:3000
Sign up with your email
Click + New Organization in sidebar
Enter organization name, description, and logo (optional)
Click Create - you’re now the owner

What you get:

Team member management (invite/remove members)
Centralized reporting and analytics
Organization API keys for CI/CD
Shared quota pooling

Reference: Organization Management

How do I invite team members?

Invite members to your organization:

Go to Settings → Members
Click Invite Member
Enter email address(es) and select role:
- Admin - Manage team, integrations, settings
- Member - Create scans, resolve findings
- Viewer - Read-only access (good for executives)
Click Send Invitations
Members receive email with join link

Roles & Permissions:

Owner - Full access, billing, delete organization
Admin - Members, settings, integrations (no billing)
Member - Create/view scans, resolve findings
Viewer - Read-only access to scans and reports

Reference: Team Collaboration

How do I generate an API key for the CLI?

Generate API key (self-hosted server):

Access your Vulnera server at http://localhost:3000
Go to Settings → API Keys
Click Generate New Key
Name the key (e.g., “GitHub Actions”, “Local Dev”)
Set expiration (Never, 30 days, 90 days, 1 year)
Click Create and copy immediately (not shown again)
Store securely in your credential manager or CI/CD secrets

Use in CLI:

vulnera auth login --api-key YOUR_API_KEY

Use in GitHub Actions:

- name: Scan with Vulnera
  env:
    VULNERA_API_KEY: ${{ secrets.VULNERA_API_KEY }}
  run: vulnera analyze . --all-modules

Security: Rotate API keys every 90 days. Revoke unused keys immediately.

What’s the difference between personal and organization API keys?

Aspect	Personal Key	Organization Key
Quota	40 tokens/day (your own)	Shared org quota (48/day for Free, 1000 for Pro)
Access	Your scans only	All org members’ scans
Team	Individual	Shared across team
Use case	Local dev, personal projects	CI/CD, team automation
Generated in	Settings → API Keys	Organization → Settings → API Keys

Best practice: Use organization keys for CI/CD pipelines; personal keys for local testing.

How do I upgrade my organization’s plan?

For self-hosted Community Edition: The Community Edition is free and includes all core features. There is no upgrade path within the open-source version.

For Enterprise features: Contact Vulnera sales for licensing information about:

DAST, IaC, CSPM, Fuzz testing modules
SBOM generation and License compliance
Vulnera Studio SaaS (when available)
Enterprise SSO (SAML/OIDC)
Priority support and SLA

Reference: Quota & Pricing

How do I connect GitHub for automatic scanning?

GitHub Integration setup (self-hosted server):

Go to your Vulnera server → Settings → Integrations → GitHub
Click Connect GitHub
Authorize Vulnera GitHub App (select repos or all repos)
Enable auto-scan triggers:
- On push to main/develop
- On all pull requests
- Scheduled daily scan
Save - scans now run automatically

What happens:

PRs show Vulnera status checks
Comments added to PRs with findings
Merge blocked if critical issues found (configurable)
Results uploaded to GitHub code scanning

Reference: Dashboard Guide - GitHub Integration

How do I set up Slack notifications?

Enable Slack integration (self-hosted server):

Go to your Vulnera server → Settings → Integrations → Slack
Click Connect Slack Workspace
Authorize Vulnera app in Slack
Select notification channel
Configure notification types:
- Critical findings (immediate)
- Daily digest
- Weekly summary
- Quota alerts
Save

Example Slack message:

🚨 Critical Vulnerability Found
Repo: acme/backend
Finding: SQL Injection in /api/users.py
CVSS: 9.2
→ View Details [Link]

Reference: Dashboard Guide - Slack Integration

How do I view team analytics and usage?

Organization Analytics (self-hosted server):

Go to your Vulnera server → Organization → Analytics
View dashboard:
- Total quota used vs. remaining
- Per-member breakdown (token consumption)
- Module usage (pie chart: Dependencies, SAST, Secrets, API)
- 6-month usage trend
- Top analyzed projects

Export report:

Click Export
Choose format: CSV, JSON, or PDF
Download for spreadsheets or stakeholder reporting

Reference: Dashboard Guide - Quota Management

Can I generate compliance reports from the dashboard?

Basic reporting available (self-hosted server):

Go to your Vulnera server → Reports
Select report type:
- Security summary
- Vulnerability trends
- Member activity
Select date range
Export as CSV, JSON, or PDF

Enterprise compliance reports (planned):

SOC2 Type II
ISO 27001
GDPR
HIPAA
PCI DSS

These require the Enterprise license and Vulnera Studio SaaS (post-1.0).

Reference: Dashboard Guide - Reporting & Export

How do I remove a team member?

Remove member from organization:

Go to your Vulnera server → Settings → Members
Find member in list
Click Remove (⋯ menu)
Confirm removal - member loses access immediately

What happens:

Member can no longer see organization scans
Their scans remain in history (for audit)
Their API keys are revoked
Activity logged in audit trail

Reinvite later: Can re-invite removed members anytime

Reference: Organization Management - Removing Members

Security & Privacy

Is my code scanned securely?

Data handling:

Data	Storage	Retention
Code artifacts	Encrypted in transit, encrypted at rest	30 days (deleted)
Findings	Database (encrypted)	Until you delete
API keys	Hashed in database	Until revoked
User data	GDPR compliant	Until account deletion

Reference: Architecture - Security Model

Can I see Vulnera’s source code?

Yes. Vulnera is open core with a clear split:

Open Source (AGPL-3.0 Community Edition):

SAST engine with tree-sitter and taint analysis
Secrets detection with entropy + patterns
Dependency scanning with CVE lookup
API security analysis
LLM provider abstractions
Sandboxing backends (Landlock, Seccomp, WASM)
Full CLI and REST API

Enterprise Features (Proprietary - require license):

DAST (dynamic application security testing)
IaC security (Terraform, Kubernetes, Docker)
CSPM (cloud security posture management)
Fuzz testing
SBOM generation
License compliance scanning
Malicious package detection
Vulnera Studio SaaS platform

Reference: GitHub repository and Philosophy - Open Core

Is on-premise deployment available?

Yes. Vulnera is self-hosted by default. The AGPL Community Edition includes the full server binary with web UI, REST API, and all analysis modules. Deploy on your own infrastructure using Docker, Kubernetes, or bare metal.

Enterprise customers can also use Vulnera Studio (managed SaaS) when available.

Reference: Architecture - Deployment Models

Cost & Licensing

What are the licensing tiers?

Vulnera uses an open-core model:

Tier	License	Features	Cost
Community	AGPL-3.0	Full self-hosted server, SAST, Secrets, Dependencies, API, LLM	Free
Enterprise	Proprietary	DAST, IaC, CSPM, Fuzz, SBOM, License Compliance, Vulnera Studio SaaS	Contact sales

The Community Edition is fully functional and free. Enterprise features are additive - they don’t remove capabilities from open source.

Reference: Open Core: Community vs Enterprise

What if I exceed my quota?

For self-hosted Community Edition: Quotas are configurable by the server administrator. There is no per-use billing for self-hosted deployments.

For Enterprise (when Vulnera Studio is available): Contact Vulnera for quota management options.

The Community Edition has no inherent quota limits - you control your own infrastructure.

Getting Help

Resources:

Documentation: Full guide
Community: GitHub Discussions
Documentation: Full guide
Enterprise: Contact Vulnera sales for enterprise licensing and SLA.

For bugs: GitHub Issues

Keyboard shortcuts

Vulnera Documentation