Documentation

Everything you need to know about VulScan - from getting started to advanced features

What is VulScan?

VulScan is a context-aware Python security vulnerability scanner that eliminates false positives through intelligent reachability analysis. Unlike traditional scanners that flag every dependency vulnerability, VulScan traces your actual code execution paths to determine if vulnerable functions are truly reachable in your application.

The Problem We Solve

Most vulnerability scanners report hundreds of issues, but 80-90% are false positives because your code never actually uses the vulnerable functions. This creates alert fatigue and wastes engineering time investigating non-issues.

Key Features

Context-Aware Reachability

Code analysis traces execution paths to identify only reachable vulnerabilities

Multi-Source Detection

Combines OSV, NVD, PyPI, GitHub Advisories, and CVE databases

Compliance Reports

SBOM, license compliance, and detailed security reports for audits

Blazing Fast

Cloud Functions architecture with intelligent caching for instant results

Getting Started

1

Create an Account

Sign up with your email or use Google OAuth for instant access. No credit card required for the free tier.

Sign Up Now
2

Create a Project

From your dashboard, click "Create Project" and give it a name. Projects help you organize scans for different applications.

3

Start Your First Scan

Choose your preferred scan method (GitHub URL, file upload, or requirements.txt) and let VulScan analyze your code. Results are ready in minutes!

Scan Methods

VulScan offers three flexible ways to scan your Python code:

GitHub Repository URL

Simply paste your GitHub repository URL and VulScan will clone and analyze it automatically.

Example:
https://github.com/yourusername/your-python-project

Best for:

  • Public repositories
  • Regular CI/CD integration
  • Team collaboration

ZIP File Upload

Upload a ZIP file containing your Python project. VulScan will extract and scan all Python files and dependencies.

Requirements:

  • ZIP format only
  • Must contain requirements.txt or pyproject.toml
  • Maximum file size: 50MB

Best for:

  • Private projects
  • One-time scans
  • Offline development

Requirements.txt Only

Paste your requirements.txt content directly for a quick dependency-only scan (no reachability analysis).

Example:
flask==2.0.1
requests==2.26.0
django==3.2.0

Best for:

  • Quick dependency checks
  • License compliance audits
  • Pre-installation vulnerability screening

Note: This method only scans dependencies. Reachability analysis requires full source code (GitHub URL or ZIP upload).

Reachability Analysis

Reachability analysis is VulScan's core differentiator. Here's how it works:

The Reachability Process

1

Import Graph Construction

VulScan parses all Python files to build a complete dependency graph showing how modules import and use each other.

2

Vulnerability Mapping

Each detected vulnerability is mapped to specific functions or methods in the vulnerable package.

3

Path Tracing

VulScan traces code execution paths from your entry points to determine if vulnerable functions are actually called.

4

Categorization

Vulnerabilities are marked as "Reachable" (critical) or "Not Reachable" (low priority) with exact file locations and line numbers.

Example Scenario

Scenario: Your project uses requests==2.25.0, which has a known vulnerability in the urllib3 SSL verification function.

Traditional Scanner

Reports vulnerability as CRITICAL because the package is installed, even if you never use SSL features.

VulScan

Analyzes your code. If you only use requests.get() without SSL options, marks as NOT REACHABLE.

Reachability Indicators

Reachable (HIGH PRIORITY)

Vulnerable function is called in your code. Immediate action required.

Potentially Reachable (MEDIUM PRIORITY)

Code path exists but may not be executed in production. Review recommended.

Not Reachable (LOW PRIORITY)

Vulnerable function is not used. Safe to ignore or address during regular maintenance.

Vulnerability Detection

VulScan provides comprehensive vulnerability information for every detected issue:

What We Detect

  • Known CVEs and security advisories
  • Outdated packages with known fixes
  • License compliance issues
  • Malicious packages (typosquatting)
  • Deprecated dependencies

Information Provided

  • CVE ID and severity score (CVSS)
  • Detailed vulnerability description
  • Affected versions and fixed versions
  • Reachability status
  • Remediation recommendations
  • Exact file locations and line numbers

Severity Levels

CRITICAL
CVSS 9.0-10.0 - Immediate action required
HIGH
CVSS 7.0-8.9 - Fix within 7 days
MEDIUM
CVSS 4.0-6.9 - Fix within 30 days
LOW
CVSS 0.1-3.9 - Address in next update cycle

Reports & Compliance

VulScan generates comprehensive reports for security audits, compliance, and team collaboration:

Security Summary Report

High-level overview of your security posture with key metrics and trends.

  • Total vulnerabilities by severity
  • Reachable vs. non-reachable breakdown
  • Top 10 riskiest dependencies
  • Remediation priority list

SBOM (Software Bill of Materials)

Complete inventory of all software components and dependencies.

  • Package name, version, and license
  • Dependency tree visualization
  • Transitive dependencies
  • Export formats: JSON, CSV, SPDX

License Compliance Report

Identify licensing issues and ensure compliance with your organization's policies.

  • All licenses used in dependencies
  • GPL/LGPL/AGPL warnings
  • Commercial license identification
  • Unknown or missing licenses

Detailed Vulnerability Report

In-depth analysis of each vulnerability with remediation guidance.

  • CVE details and external references
  • Proof of reachability (file paths, code snippets)
  • Step-by-step fix instructions
  • Links to patches and security advisories

Security Data Sources

VulScan aggregates data from multiple authoritative security databases to ensure comprehensive coverage:

OSV (Open Source Vulnerabilities)

Google's distributed vulnerability database covering Python and other ecosystems.

NVD (National Vulnerability Database)

U.S. government repository of CVE information with CVSS scores.

PyPI Security Advisories

Official Python Package Index security notifications.

GitHub Security Advisories

GitHub's curated database of vulnerabilities in open source projects.

Libraries.io

Package metadata and license information with fallback support.

ClearlyDefined.io

License and copyright data for open source components.

Intelligent Caching

VulScan uses Firestore-based persistent caching (24-hour TTL) to ensure fast scans without hitting API rate limits. Common packages like requests, numpy, and flask are served instantly from cache.

Architecture & Technology

VulScan is built on modern, scalable cloud infrastructure:

Frontend

  • Next.js 14 - React framework with App Router
  • TypeScript - Type-safe development
  • Tailwind CSS - Modern, responsive UI
  • SWR - Client-side caching and data fetching

Backend

  • Firebase Cloud Functions - Serverless Python scanning engine
  • Firestore - NoSQL database for scan results and metadata
  • Firebase Storage - Secure storage for uploaded code (auto-deleted after 4 months)
  • Firebase Authentication - Google OAuth and email/password auth

Scanning Engine

  • Python AST Parser - Static analysis of Python code
  • Dependency Graph Builder - Import tree construction
  • Reachability Analyzer - Path tracing
  • Multi-API Client - Intelligent rate limiting and fallback

Performance Optimizations

  • 24-hour Firestore cache for package metadata
  • Per-domain rate limiters with exponential backoff
  • Parallel API calls for faster data fetching
  • Incremental scan updates (only scan changed files)

Data Retention & Privacy

All uploaded source code and scan results are automatically deleted after 4 months. We never share your code with third parties. See our Privacy Policy for details.

Frequently Asked Questions

How accurate is reachability analysis?

VulScan's reachability analysis uses static code analysis and Path tracing to achieve 95%+ accuracy. While no automated tool is perfect, our context-aware approach dramatically reduces false positives compared to traditional dependency scanners.

What happens to my code after I upload it?

Your code is temporarily stored securely in Firebase Storage with encryption at rest and in transit. It's only accessible by you and our scanning engine. All code is automatically deleted as soon as scanning is completed succesfully. We never share your code with third parties.

Can I scan private repositories?

Yes! You can upload ZIP files for private repositories. We're working on GitHub OAuth integration to support private repos via URL scanning.

How often is vulnerability data updated?

We sync with security databases (OSV, NVD, PyPI, GitHub Advisories) daily. When you run a scan, you get the most up-to-date vulnerability information available.

Do you support languages other than Python?

Currently, VulScan only supports Python. We're planning to add JavaScript/Node.js and Java support in the future based on user demand.

Can I integrate VulScan into my CI/CD pipeline?

API integration for CI/CD is coming soon for Pro and Enterprise plans. You'll be able to trigger scans automatically on every commit or pull request.

What's your refund policy?

We offer a free tier so you can test VulScan before upgrading. All sales are final - see our Refund Policy for details.