One Plugin, Four IDEs: Building a Consistent Security Experience Across Developer Tools

By Veracode Engineering Team

If you regularly work across IDEs, you’ve probably noticed how security tools often behave inconsistently. One plugin might work well in VS Code but feel clunky in PyCharm or Visual Studio. 

We set out to change that. The Veracode Scan plugin delivers a consistent, reliable experience across VS Code, JetBrains IDEs, Eclipse, and Visual Studio — helping developers focus on writing secure code, not troubleshooting plugins. 

Here’s how we made it work across four very different IDEs, using shared architecture, smart reuse, and disciplined engineering. 

The Challenge of Multi-IDE Support 

Each IDE has its own extension model and underlying tech stack: 

  • VS Code uses TypeScript with a modular extension system 
  • JetBrains IDEs (like IntelliJ, PyCharm) rely on Java/Kotlin with a proprietary plugin framework 
  • Eclipse is built on OSGi with SWT-based UI components 
  • Visual Studio uses .NET and the Managed Extensibility Framework (MEF) 

Supporting these tools independently would mean duplicating logic, creating inconsistent user experiences, and significantly increasing maintenance overhead. Add the need for cross-platform support (Windows, macOS, Linux), and the challenge grows. 

Shared Core, Unified Logic 

To solve this, we built a shared scanning engine that handles heavy lifting: scan execution, API communication, and result parsing. This core logic is written once and reused across all IDEs. 

We wrapped it with a Language Server Protocol (LSP) layer — a standard that enables language features across editors. During build time, we compile platform-specific LSP binaries for each OS. These binaries are bundled with the plugins, so scanning runs natively on every machine. 

Each plugin includes a thin integration layer that connects to the LSP and handles IDE-specific UI commands. The result? Uniform behavior with minimal custom code per platform. 

Consistent Look with Shared Web UI 

To deliver a consistent user experience, we built a shared UI Toolkit that renders web-based components inside each IDE. This includes: 

  • Viewing flaw details with file context 
  • Displaying remediation guidance 
  • Offering auto-fix suggestions for quick remediation 
  • Letting developers apply fixes without leaving the IDE 

Scalable Design Backed by Veracode’s Cell Architecture 

Our plugin model aligns with Veracode’s broader Cell Architecture, where each major product area — such as Static Analysis or Software Composition Analysis — is owned by a dedicated, autonomous team. These teams follow a shape-design-build cycle to ship customer value fast. 

We also maintain a Core Capabilities layer shared across IDE plugins and CLI tools. This includes configuration handling, REST API logic, and logging — all built once and reused. Teams collaborate using an Inner Source model, contributing to shared libraries and improving quality across the board. 

How It All Fits Together 

Each IDE plugin includes: 

  • A shared scanning logic core 
  • A platform-specific LSP binary 
  • A thin plugin wrapper tailored to the IDE 
  • A shared UI Toolkit for flaw display and remediation 
  • CI/CD pipelines for automated packaging and release 

This modular architecture ensures fast updates, reduced bugs, and consistent features across environments. 

Tailored, Native Developer Experience 

Although the core is shared, each plugin is designed to feel native: 

  • In VS Code, scan results show inline and in the Problems pane 
  • In JetBrains IDEs, results integrate into tool windows and context menus 
  • In Eclipse and Visual Studio, we use native views and panels for seamless interaction 

As we continue to evolve the plugin, updates will roll out in sync — ensuring no IDE is left behind. 

Tips for Developers Using the Plugin 

To get the most out of the Veracode Scan plugin: 

  • Install it across all IDEs you use 
  • Run scans early and often 
  • Use branch-specific scan policies 
  • Apply auto-fixes when available 
  • Review remediation guidance inline 

Conclusion 

The Veracode Scan plugin brings a consistent, developer-friendly security experience to every major IDE. With a shared core, platform-aware LSP layer, and centralized UI toolkit, it’s designed to scale — and to stay out of your way while you code securely. 

Wherever you code, Veracode is there with you. Install the plugin in your IDE and give it a try. Feedback and feature requests are always welcome! 

Aug 19, 2025

The AI-Native Era is Here: What this Gartner® Innovation Insight Means for Your Software Security

Learn More
Joe Ariganello

Joe Ariganello

Aug 14, 2025

Securing the Digital Frontier: Key Themes from Black Hat USA 2025

Learn More
Natalie Tischler

Natalie Tischler

Aug 13, 2025

Using Mean Time to Resolve (MTTR) Effectively Across Static and SCA Findings

Learn More
Tim Jarrett

Tim Jarrett

By Veracode Engineering Team

Through their insights, research, and hands-on expertise, the Veracode Engineering Team provides actionable guidance to help developers and security teams stay ahead of evolving threats. When they’re not coding or securing the digital world, they’re sharing their knowledge to foster a stronger, safer tech community.