Heimdall uses your local AI tools to scan code for security flaws

Heimdall is a that finds in your code by routing files through AI tools you already have installed — Claude Code, Gemini, Codex, or Opencode. You point it at a source folder, it sends the files to whichever local AI tools you have, collects their findings, removes duplicates, and outputs a clean report in JSON, Markdown, or SARIF format. Everything runs on your machine: no code is sent to external servers and no separate API keys are needed.

Running multiple AI tools in parallel is supported, and since Claude and Gemini sometimes catch different issues, combining them improves overall coverage. The system is smart in two ways: if two backends flag the same problem it appears only once, and issues already found in a previous scan are labeled as old rather than shown again as new. The tool works across languages including JS, Python, Go, Java, Rust, C#, and PHP.

Running `heimdall web` opens a local dashboard at port 4040 for browsing past scans. Installation is a single curl command.

Key points

  • Uses AI tools already installed locally — no extra API keys or cloud uploads
  • Run Claude, Gemini, Codex, or Opencode in parallel to catch more issues
  • Duplicate findings across tools or across runs are shown only once
  • Reports export as JSON, Markdown, or SARIF
  • One-liner install; local web dashboard at port 4040

Sources covering this story (3)

Read original