Skip to main content

Vulnerability search

Explyt can scan the whole project for vulnerabilities in the codebase. You can attach findings to chat so the agent can fix the code, check whether the finding is valid, or help decide which issues need action.

How to start

In the Explyt chat header, click the shield icon. A menu with a description of the feature will open — click the start button. The plugin will build the project and then run the analysis.

How analysis works

The scan uses Explyt's own static analysis engine. It works on compiled sources, so the plugin tries to build the project with Maven or Gradle before analysis.

The engine performs interprocedural analysis: it tracks how data flows through functions and methods, from the point where it appears (source) to the point where its use could cause a problem (sink). Most tools only check within a single function.

After a successful analysis, Explyt opens a results panel. You can filter and group the findings:

  • by severity;
  • by files and folders where vulnerabilities were found;
  • by category (SQL injections, XSS, SSRF, and others).

Many vulnerabilities include a trace that shows where the data comes from and how it flows through the code from source to the dangerous point. Click a trace step to highlight the matching location in the editor.

Actions for found vulnerabilities

For each vulnerability, the following actions are available:

  • Fix — the agent reads the vulnerability code and suggests changes to eliminate the issue.
  • Attach to chat — send the vulnerability to the agent to discuss it: how it works, how to reproduce it, or ask it to explain in plain language if you're not a security expert.
  • Mark as false positive — if you're sure the finding doesn't reproduce in reality, click the exclamation mark button. The vulnerability will disappear from the results list.
  • Evaluate CVSS score — assess the vulnerability's severity

Severity assessment

You can attach a vulnerability to chat and ask the agent to calculate a CVSS score. The agent estimates the factors, sends them to the calculator, and explains the result.

CVSS is a numerical score from 0 to 10. A score of 0 means the vulnerability is not reproducible; a score of 10 means exploitation could cause critical damage (data leaks, financial loss, infrastructure destruction).

After calculation, the CVSS score appears next to the vulnerability in the results panel.

False positives are one of the main problems with security tools. Security professionals spend up to 90% of their time checking findings that turn out to be non-issues. CVSS scoring helps separate real problems from false ones faster.

IDE support

Vulnerability search works for JVM projects in IntelliJ IDEA (OpenIDE, GigaIDE) and Android Studio — that is, for Java and Kotlin. We are working on expanding support to other languages and IDEs.

The analysis runs fully offline: your code is never sent anywhere, and no server connection is required. The only exception is interaction with the agent, which uses an LLM.

New vulnerability types are added with plugin updates: the engine operates on a set of rules that ships with each update. Custom rules cannot be added yet, but in the future the agent will be able to automatically write rules tailored to your project.

When to use it

LLMs can and do write code with vulnerabilities. Targeted attacks are also possible: hackers study the behavior of a specific LLM used by a company and plant prompt injections to force the model into generating vulnerable code. Vulnerability search helps catch critical security issues before committing. Any team lead can run a scan across the entire repository, see security issues, and fix them quickly, for example by making a pull request that addresses critical vulnerabilities.

  • When you need to quickly decide which findings to fix first.