Heimdall uses your existing AI tools to scan code for security flaws
Heimdall is a that scans a codebase for security using whichever you already have installed — Claude Code, Gemini CLI, Codex, or Opencode. You point it at a source folder, it sends your files to the chosen AI, collects the findings, and produces a clean report in JSON, Markdown, or SARIF format. Nothing leaves your machine: Heimdall calls local tools only, with no API keys or outbound network requests of its own.
You can run multiple AI backends in parallel, which is useful because Claude and Gemini sometimes catch different issues, giving broader coverage together. A system means the same flagged by two different AI tools appears only once, and issues already found in a previous scan are marked as old rather than re-reported. It works across languages — JavaScript, Python, Go, Java, Rust, C#, PHP, and more.
A local web dashboard on port 4040 lets you browse past scan results and manage settings. Installation is a single curl command.
Key points
- Works with Claude Code, Gemini CLI, Codex, and Opencode — no extra API keys needed
- Code stays on your machine; no data sent to external servers
- Running multiple AI backends in parallel improves coverage since each catches different issues
- removes repeated findings across backends and across separate scans
- Outputs JSON, Markdown, or SARIF; includes a local web dashboard on port 4040