AI Coding Agent Plugin

Vulnerability intelligence for AI coding agents

Automated dependency scanning, exploit analysis and fix intelligence — built into your development workflow. Not another scanner. Not another point solution. Vulnerability operations where your code is written.

AppSec Operations Platform

Make AppSec work where your code is written

Six event-driven hooks scan as you commit. Six interactive skills brief your agent on exploit maturity, malware campaigns and safe upgrade paths. Decisions persist as auditable VEX attestations.

Get started View on GitHub
Powered by Vulnetix VDB

Live data from 160 upstream sources

CVE, GHSA, OSV, vendor advisories and many more — aggregated, normalised and enriched with exploit intelligence, malware associations and safe upgrade paths.

Community
Free
For individuals evaluating VDB or building open source.
  • 160 re-served vulnerability sources
  • 60+ identifier scheme lookups
  • Fix advisories and patch links
  • 50 queries / day
Get free API key
All enrichment
Pro
$20 USD / month
Full enrichment layer for individuals.
  • Everything in Community
  • Exploit maturity & sightings
  • Malware campaigns & indicators
  • Safe harbour versioning
  • 2,000 queries / day
Start Pro
Best value
Teams
$250 USD / month
For teams that need volume and multiple API keys.
  • Everything in Pro
  • 10 API keys included
  • 100,000 queries / day / key
  • Dedicated support channel
Start Teams
1. Unify

Automatic security scanning, no extra step

Six event-driven hooks run automatically in your coding agent workflow. Scan dependencies on every commit, detect vulnerabilities after package installs, gate manifest edits with risk data, and surface prior context when you mention a CVE.

Pre-commit scanning Post-install detection Manifest edit gating Session dashboard Stop reminders CVE context injection
Hook reference
2. Prioritise

Vulnerability intelligence on demand

Six interactive skills give your agent deep analysis. Search packages for risk before adding them, analyse exploit intelligence, get fix recommendations with concrete manifest diffs and build context-aware remediation plans.

Package risk search Exploit analysis Fix intelligence Vulnerability lookup Exploit landscape search Remediation planning
Skill reference
3. Automate

Direct CLI access plus a parallel triage agent

Four deterministic commands return raw VDB data without LLM analysis. A bulk-triage agent analyses multiple vulnerabilities in parallel and produces prioritised reports — CWSS scored, ranked by exploit maturity.

vdb-vuln vdb-vulns vdb-exploits-search vdb-remediation bulk-triage agent
Command reference
Persistent memory

Every decision recorded as auditable evidence

Findings, decisions and scan history persist in the .vulnetix/ directory. A structured YAML memory tracks every vulnerability from discovery to resolution. Package search results, CycloneDX SBOMs and cached PoC source code provide audit-ready artefacts.

Structured memory file CycloneDX SBOMs PoC source caching Decision tracking Cross-session continuity
Data structure reference
Ecosystem coverage

Built for the whole stack

150+ ecosystems across 50+ languages, 20+ operating systems and 100+ million packages — one live source of truth.

NPM PyPI Go Cargo RubyGems Maven Packagist NuGet Docker Kubernetes Terraform OpenTofu AWS Azure GCP GitHub Actions GitLab CI Helm Nix Alpine Debian RHEL 300+ more
Frequently asked

Questions before you install

How does this differ from running a scanner locally?
Scanners produce findings. This plugin produces decisions. Every alert is enriched with exploit maturity, malware association and safe upgrade paths from the Vulnetix VDB — then persisted as VEX attestations so nobody re-litigates the same CVE next sprint.
Do I need a Vulnetix account?
A free Community API key unlocks 50 queries a day across all 160 vulnerability sources. Pro and Teams plans add the enrichment layer — exploit sightings, malware campaigns, safe harbour versioning — with higher daily quotas.
Which languages and ecosystems are supported?
150+ package ecosystems across 50+ languages and 20+ operating systems. Manifest detection covers npm, PyPI, Go modules, Cargo, RubyGems, Maven, Packagist, NuGet, Helm, Dockerfiles, Terraform, OpenTofu and more.
How does it handle false positives?
Decisions are recorded as CycloneDX VEX or OpenVEX attestations against each finding — not_affected, fixed, under_investigation or affected — with justification text. Subsequent scans honour your prior verdict instead of resurfacing the same CVE.
Is my source code sent to Vulnetix?
No. Only package coordinates (name, version, ecosystem) and CVE identifiers reach the VDB API. Source code, secrets and proprietary logic stay on your machine. Memory files and SBOMs are written locally to .vulnetix/.
Which AI coding agents are supported?
Claude Code, Augment, Windsurf, Roo Code and 28 more — see the install reference. The plugin uses standard hook and skill interfaces so any agent supporting either pattern can adopt it.

Ready to make AppSec work where your code is written?

Install the plugin, point it at a free Community API key, and your next commit will be scanned with the same vulnerability data the enterprise platform uses.

Get started View on GitHub