HEIDI: Free IDE security plugin for open-source vulnerability checks

Mirko Zorz, Director of Content, Help Net Security May 12, 2026 Share HEIDI: Free IDE security plugin for open-source vulnerability checks Open-source dependencies make up a large percentage of the code in production applications, and most vulnerability checks still run late in the pipeline, inside CI/CD systems or after a release ships. Meterian is moving those checks earlier with HEIDI, a free plugin for Visual Studio Code and JetBrains IDEs that flags vulnerable packages and offers one-click upgrades from inside the editor. HEIDI is also distributed through the OpenVSX registry and has recorded close to 5,000 installs in its first month on the Visual Studio Code Marketplace. It supports Java, .NET, Node.js, Python, PHP, Ruby, Rust, and Go, and scans only manifest files, leaving source code on the developer’s machine. Real-time data versus stale model knowledge HEIDI ships with a built-in Model Context Protocol (MCP) server, which lets AI coding assistants query live vulnerability data when generating or reviewing code. Supported clients include GitHub Copilot, Cursor, Windsurf, Claude Code, Gemini CLI, and Codex CLI. The integration is designed to give LLMs current threat intelligence at the moment they suggest a dependency, closing the gap created by training-data cutoffs. Roberto Franchini, an open-source developer working on ArcadeDB, said HEIDI “serves as an important live security layer by comparing AI proposals with current threat intelligence information,” letting teams use AI coding tools “without incurring the security debt from old data sets.” Bruno Bossola, CTO and co-founder of Meterian, told Help Net Security that the speed of the data pipeline is central to that promise. “We actively monitor CVEs and security disclosures in major open-source projects at the source, including upstream advisories and official project announcements. For those monitored projects, our database is typically updated within hours of the official disclosure,” he said. “In many cases, this means HEIDI can flag the issue before it appears in downstream OSINT sources such as the GitHub Advisory Database, and several days before the CVE record or NVD entry is fully published or enriched.” For projects outside the monitored set, Meterian ingests major open-source vulnerability databases every two hours. Auto-registration with AI clients One design choice likely to draw scrutiny is HEIDI’s automatic registration with the AI clients it integrates with. The plugin writes the minimum configuration each tool needs to recognize it, without prompting the user separately for every client. Bossola defended the approach on practical grounds. “An IDE plugin, or a CLI integration, cannot provide results inside that client unless the client knows the plugin exists and has the necessary configuration to invoke it. In that sense, registration is not a separate data-access event; it is the technical step that enables the user-installed integration to operate,” he said. “HEIDI does not use this registration to take control of the client, exfiltrate code, or silently grant itself additional permissions.” Where a client provides its own consent or extension flow, HEIDI follows it. Meterian will continue to review user feedback on the model. Handling false positives and reachability False positives have long been a sore point for software composition analysis. Bossola took a strict line on the topic. “Our database contains only precise package coordinates, and all vulnerabilities are deduplicated during ingestion. Our philosophy is that there is no point in keeping a known vulnerable package in a codebase when a patched version is readily available, which is the case in the vast majority of occasions.” Snoozing a finding takes one click for the rare cases where a result needs to be set aside. Meterian also takes a firm position on reachability analysis, the practice of suppressing alerts when a vulnerable function is judged unreachable in a given codebase. “We do not consider an unreachable vulnerable package to be a false positive. The vulnerable package is still present in the codebase, still part of the software supply chain, and still needs to be understood and managed,” Bossola said. He noted reachability can serve as a prioritization signal in large environments, with AI-assisted code analysis available to trace usage paths when teams need a deeper view. Upgrade paths and download When a vulnerable dependency is found, HEIDI proposes safe upgrades along semantic versioning lines, offering the safest available version at patch, minor, and major levels so teams can pick the change they are willing to absorb. For transitive dependencies, HEIDI can identify and recommend an upgrade to the parent package that pulls in a patched version, where the ecosystem and package manager support that resolution. HEIDI is available for free download on the Visual Studio Code marketplace, the JetBrains marketplace, and the OpenVSX registry. Must read: 25 open-source cybersecurity tools that don’t care about your budget GitHub CISO on security strategy and collaborating with the open-source community Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here! More about Connecting Software DevSecOps LLMs programming software software development supply chain Share