Overview

Write safe code right away by getting instant detection of open-source software vulnerabilities. Remediate your code vulnerabilities by picking one of the suggested secure versions.

Meterian Security is a completely free tool that helps you identify vulnerabilities in your projects by analyzing your main manifest files (the Free mode). If you are a Meterian customer, you can set a Meterian API token to unlock the Premium mode, which provides deeper, in-depth analysis.

How does it work?

Meterian Security will analyze your project every time you open it and every time there is a change in the manifest files. You would be able to fix the vulnerabilities by using the remediation suggestions or snooze them for a while. The Analyse with Meterian command is also available on the command palette to start a new analysis.

Supported languages and remediation

Language	Manifest		Free		Premium
		Support	Remediation	Support	Remediation
Dotnet	*.csproj	✅		✅

NodeJS	package.json	✅	✅	✅	✅
	package-lock.json	✅		✅

Java	pom.xml	✅	✅	✅	✅
	build.gradle	✅		✅
	build.gradle.kts	✅		✅

Php	composer.json	✅	✅	✅	✅
	composer.lock	✅		✅

Ruby	Gemfile	✅		✅
	Gemfile.lock	✅		✅

Python	requirements.txt	✅	✅	✅	✅
	Pipfile	✅	✅	✅	✅
	Pipfile.lock			✅
	pyproject.toml	✅	✅	✅	✅
	poetry.lock			✅
	uv.lock	✅		✅

Rust	Cargo.toml	✅	✅	✅	✅
	Cargo.lock	✅		✅	✅

Golang	go.mod	✅		✅
	go.sum	✅		✅

Commands

All the commands for the Meterian Security extension can be used from the Visual Studio Command Palette (shortcut: CTRL + Shift + P)

Analyse with Meterian - Start a new analysis
Set Meterian API Token - Set the a new Meterian API token
Show my Meterian API Token - Shows the stored Meterian API token
Verify Meterian API Token - Verify the validity of the stored Meterian API token
Unset Meterian API Token - Remove the stored Meterian API token
Configure Meterian Security - Shortcut to open the Meterian Security configuration
Enable or Disable Meterian Security on this workspace - Stop Meterian Security from running on a specific workspace

Configuration

A configuration panel is available for a more tailored experience. The configuration can be accessed from the File > Preferences > Settings menu or by using the Configure Meterian Security command from the command palette.

It's possible to set the thresholds used to flag vulnerabilities:

Label	Default value	Description
Severity Threshold	LOW	Vulnerabilities below this level won't be flagged
CVSS Threshold	3.5	Vulnerabilities with a CVSS score below this value won't be flagged
EPSS Threshold	0.01	Vulnerabilities with an EPSS score below this value won't be flagged

There are also few other more general configuration settings:

Label	Default value	Description
CVEs only	false	Only flag vulnerabilities with a CVE id
Max Files	100000	Set the maximum amount of files to consider during an analysis
Grace Time in seconds	60	Define the grace time in seconds to be considered between the last change in the manifest and the start of the analysis
Enabled	true	Enables/Disables the plugin for the current workspace
Max Problem Level	Warning	Define the maximum level applicable to problems
Notifications	Problems only	Define the notifications to be shown

Using a Meterian API token

Using an API token is not required, but if you do, it will give you a more comprehensive analysis of your project. You can set a Meterian API token from the command palette by using the Set Meterian API Token command. To go back to the Free mode, you can use the Unset Meterian API Token command.

You can create one from the Meterian Dashboard

What data is transferred?

The system is powered by the Meterian Kiwi vulnerability database. The APIs are called passing an opaque identifier as an authorization header; the data transferred is the name, version and language of a library. Additionally another API is called from Meterian Heidi backend services, which is used to track activity. Any identity information is anonimized, encrypted with strong cypher, and cannot be decyphered.

Bugs and support

If you find a bug or have a feature request, please open an issue on the GitHub repository. Please use one of the yaml templates available on the repository to help us keeping the format of the issues consistent.

A support channel is available on Discord for you to ask questions and get help.

Meterian Security SCA

Meterian