Welcome to Heimdall
Heimdall is an AI-powered security scanner that goes beyond pattern matching to discover real vulnerabilities in your codebase. It builds a threat model of your application, deploys AI agents that reason about your code, validates findings in a sandboxed environment, and produces ranked vulnerabilities with patches and proof-of-concept exploits.Quick Start
Get Heimdall running in minutes
How It Works
Understand the 7-stage scan pipeline
Architecture
Explore the technical architecture
API Reference
Browse the REST API documentation
Key Features
AI-Powered Discovery
The Hunt agent reasons about your code like a security researcher, discovering vulnerabilities that pattern matchers miss
Automated Threat Modeling
Tyr generates structured threat models identifying trust boundaries, attack surfaces, and sensitive data flows
Sandbox Validation
Garmr executes proof-of-concept exploits in isolated Docker containers to confirm real vulnerabilities
Automated Patches
Generate unified diff patches for every finding, ready to apply directly to your codebase
Multi-Language Support
Full AST parsing for Rust, Python, JavaScript, TypeScript, Go, and Java via tree-sitter
GitHub & GitLab Integration
Connect repositories via OAuth, trigger scans on push events, and sync findings to issues
What Makes Heimdall Different
Traditional security scanners rely on pattern matching—they look for known anti-patterns and flag suspicious code. Heimdall takes a fundamentally different approach:- Context-Aware Analysis — Builds a complete code index with AST parsing, symbol tables, call graphs, and data flow analysis
- Threat Modeling — Generates a structured threat model before scanning to focus on real attack surfaces
- Agentic Discovery — Deploys AI agents that investigate your code iteratively, following data flows and reasoning about security implications
- Adversarial Verification — Challenges each finding with Víðarr, an adversarial agent that tries to disprove vulnerabilities
- Sandbox Validation — Executes exploits in Docker to confirm findings are real, not false positives
How It Works
- Connect a repository — GitHub OAuth, GitLab OAuth, public git URL, or zip upload
- Run a scan — Manually triggered, the 7-stage pipeline executes automatically
- Review findings — Severity-ranked vulnerabilities with code context, explanations, and patches
- Apply fixes — Accept suggested patches as unified diffs or create repository issues
Supported Languages
| Language | Grammar | Status |
|---|---|---|
| Rust | tree-sitter-rust | Full |
| Python | tree-sitter-python | Full |
| JavaScript | tree-sitter-javascript | Full |
| TypeScript | tree-sitter-typescript | Full |
| Go | tree-sitter-go | Full |
| Java | tree-sitter-java | Full |
| Ruby | regex fallback | Basic |
| PHP | regex fallback | Basic |
Tech Stack
- Language — Rust (2024 edition)
- Web Framework — Actix-web 4
- Frontend — HTMX + Tailwind CSS
- Database — PostgreSQL
- AST Parsing — tree-sitter
- AI Providers — Claude, OpenAI, Ollama (BYOK)
- Sandbox — Docker via bollard
Get Started
Installation
Install Heimdall locally or with Docker
Configuration
Configure AI providers and integrations