Developer Platform for Go & Java

Getting Started with Vokt

From install to call graph analysis in under 5 minutes

Vokt builds precise call graphs from compiled Go and Java code, extracts behavioral facts (guards, mutations, error flows), computes confidence-weighted blast radius, detects architectural hubs, and scores risk on every change. All analysis runs locally.

What Vokt Analyzes

Call Graph & Metrics

  • Precise call graphs from compiled code
  • Confidence-weighted blast radius
  • Hub detection with centrality scoring
  • Strongly connected component detection

Behavioral Extraction

  • Guards (pre-conditions and early exits)
  • Mutations (state changes to non-local data)
  • Error flows (failure paths and error handling)
  • Call patterns (conditional, looped, deferred)

Risk & Change Detection

  • Transparent risk scores (0–100) with component breakdowns
  • Behavioral diffs with severity scoring
  • Reliability ratings on every metric
  • Git signals: churn, bus factor, co-change

Language Support

  • Go: SSA-based analysis with interface dispatch resolution
  • Java: Bytecode analysis with pointer analysis
  • Kotlin & Scala: analyzed via JVM bytecode
  • Spring DI: annotation-based wiring resolved

Prerequisites

  • - Package Manager — Homebrew (macOS/Linux) or Chocolatey (Windows)
  • - Vokt License and activate it
  • - Compilable project — Go: go build ./... must succeed. Java: mvn compile or ./gradlew classes must succeed.

Why compilation is required: Vokt analyzes compiled code at the level where type information is complete. Go SSA form requires type-checked packages. Java bytecode carries complete type information including generics, bridge methods, and synthetic methods. Source-only analysis cannot resolve interface dispatch or dependency injection reliably.

Quick Start

Step 1: Install Vokt

brew tap maneeshchaturvedi/vokt
brew install vokt

# Verify installation
vokt --version

Step 2: Run Full Analysis

Navigate to your project and run analysis. Vokt detects the language(s), invokes the appropriate analysis engine, builds the call graph, extracts behavioral facts, and computes all metrics.

cd your-project

# Run full analysis (auto-detects Go, Java, or both)
vokt analyze

# Specify language explicitly
vokt analyze --lang go
vokt analyze --lang java

# Java with Spring DI resolution
vokt analyze --lang java --di-mode spring

# Include test functions in the analysis
vokt analyze --no-tests=false

Results are stored locally in .vokt/vokt.db (SQLite). Run vokt verify-graph to understand the analysis quality before relying on metrics.

Step 3: Explore Metrics

Once analysis completes, explore the results with dedicated commands.

# Show risk-ranked functions
vokt risk --top 10

# Show hub functions by centrality
vokt hub --top 10

# Show blast radius for a specific function
vokt blast "pkg/payment.ProcessPayment"

# Launch the web viewer
vokt serve

Example: Risk Score Output

Every risk score shows its component breakdown and reliability rating:

Risk Score: 78 (MEDIUM reliability)
├── Blast Radius:      88  (weighted: 31.4, conservative: 23)
├── Hub Centrality:    91  (23 callers, betweenness: 0.91)
├── Churn Rate:        72  (2.3 commits/week over 90 days)
├── Bus Factor:        65  (2 distinct authors)
├── Complexity:        45  (CC=8, nesting=4)
└── Co-change:         40  (3 hidden coupling pairs)

Reliability: MEDIUM — 21% of blast zone edges are DI synthetic.

Example: Blast Radius Output

Blast radius is never a bare integer — it always comes with confidence:

Function: PaymentService.processPayment
Blast radius (conservative, conf ≥ 0.85): 23
Blast radius (weighted):                   31.4
Blast radius (upper bound, all edges):     47

Edge confidence profile:
  High confidence (≥0.85):    68% of edges
  Medium (0.50–0.85):         21% of edges
  Low (<0.50, mostly DI/CHA): 11% of edges

Reliability: HIGH

Step 4: Detect Behavioral Changes

Compare analysis results between two commits to detect behavioral drift. Vokt produces per-field diffs showing exactly which guards, mutations, and error paths changed:

# Compare current branch against main
vokt diff --base main

# Show only major or critical changes
vokt diff --min-severity major

# Fail in CI if critical severity detected
vokt diff --fail-on critical

# Output as JSON or SARIF
vokt diff --format json

Stable call identity: Vokt's behavioral diff uses resolved receiver types and ordinal positions to identify calls — not variable names. Two calls to repo.Save() in the same function are distinguished. Renaming a variable or reformatting code does not produce a false diff.

CI/CD Integration

Vokt integrates into your CI pipeline with threshold-based fail conditions. Run vokt analyze on both base and head commits, then vokt diff to detect behavioral drift. Vokt exits non-zero when thresholds are exceeded.

Severity Thresholds

Block on minor, major, or critical severity. Guard removal = CRITICAL. New mutation = MAJOR.

Multiple Output Formats

JSON, SARIF, Markdown, or the web viewer. Integrate with any CI system.

PR-Scoped Risk

Use vokt risk --pr to restrict risk analysis to functions changed in the current PR.

Next Steps

CLI Reference

Complete documentation for all commands with flags and examples.