Skip to content

Meterian Security — VS Code Extension

Visual Studio Code Marketplace logo
Available on the Visual Studio Code Marketplace
for Visual Studio Code 		OpenVSX Registry logo
Available on the OpenVSX registry
for Cursor, VSCodium, Windsurf, Theia & friends
Visual Studio Marketplace Installs Version Rating Open VSX Downloads OpenVSX Version OpenVSX Rating

Meterian Security is a completely free extension that detects open-source vulnerabilities in your project dependencies and helps you fix them, without leaving your IDE.

It supports 10+ languages and package managers, works with VS Code, Cursor, Windsurf, VSCodium, and Theia, and integrates with AI assistants via a built-in MCP server, so you can ask your AI "is any of my libraries vulnerable?" and get an instant answer backed by the Meterian vulnerability database.

See it in action

English

Italian

Works with your AI assistant

The extension ships a built-in MCP server that connects the Meterian vulnerability database to your AI assistant. Once registered, you can ask:

"Is any of my libraries currently vulnerable?" "What's a safe version for the axios library?"

Supported: Claude Code, Cursor, Windsurf, VS Code + Copilot, Gemini CLI, Codex.

Install & Quickstart

  1. Install from your chosen marketplace (once!)
  2. Open a project
  3. An analysis starts automatically
  4. See the report, drill down into the details
  5. Use autofix to automatically resolve the issues!

Report an issue or request a feature

Found a bug, have a feature request, or a question? The GitHub issue tracker is the right place. Use one of the links below to open a pre-filled form:

⚠️ Security disclosures Please do not file security vulnerabilities here. Email security@meterian.io with details and a way to reproduce. We'll acknowledge within 2 business days.

Where to get help

  • Discord (community support): Discord
  • FAQ: See our FAQ

What data is transferred by the plugin?

The system is powered by the Meterian Kiwi vulnerability database. The APIs are called passing an opaque identifier as an authorization header; the data transferred is the name, version and language of a library. Additionally another API is called from Meterian Heidi backend services, which is used to track activity. Any identity information is anonymized, encrypted with strong cipher, and cannot be deciphered.

Contributing feedback

While the extension is closed source and the issue tracker repository contains no code, your feedback directly shapes our backlog and priorities. The extension is completely free to use.