Heimdall Scan vs Semgrep
Semgrep is a serious static-analysis tool built for application security teams. Heimdall Scan is built for non-technical founders shipping apps with Cursor, Lovable, and Bolt. Both look at your source code. The output, the audience, and the setup are completely different. This page is honest about which one fits which situation.
TL;DR
If you have an AppSec team and someone who can write Semgrep rules in YAML, Semgrep is more powerful and free forever. If you're a founder who wants to know whether your Lovable app is going to leak Stripe keys, Heimdall Scan tells you in plain English with paste-into-Cursor fix prompts, and you don't have to learn anything new. We win the vibe-coder lane. They win the AppSec-engineer lane.
Side by side
Where Semgrep is the better fit
Semgrep is genuinely the better tool if you have someone on your team who can write a YAML rule when you find a project-specific anti-pattern. The community ruleset is huge, the language coverage is wide, the OSS version is free forever, and big tech AppSec teams use it for a reason. If you're scanning a Python monolith or a Go microservice, we don't even cover your stack. If you want rules tuned to your exact codebase, Semgrep is what you should reach for.
Where Heimdall Scan is the better fit
Semgrep tells you that line 47 of routes/order.ts matches rule javascript.security.audit.detect-non-literal-fs-filename. That's the right answer for the wrong audience. A non-technical founder reading that result has no idea what to do next. Heimdall Scan tells you, in one paragraph, that your /api/orders/:id endpoint lets logged-in users read other people's orders, why that matters, and gives you a prompt to paste into Cursor that fixes it. We also catch a class of issue Semgrep mostly misses: AI-editor-generated mistakes that look syntactically clean but are semantically wrong (a session check that returns 200 instead of 401, a Stripe webhook handler with no signature verification, an .env file that got committed because the AI forgot .gitignore). And every finding is sanity-checked by Gemini before you see it, so you don't waste time on placeholder strings the model thought were real secrets.
Pricing
Free during open beta. Sign in with GitHub and you get every check at no cost. No card, no per-seat trick, no scan-limit games. We aren't charging yet because the product is in beta. A paid Ultra plan is coming later for high-volume usage.
If you're shipping a JS or TS app from an AI editor and you'd rather get plain-English answers than learn YAML rule syntax, run a Heimdall Scan. It takes under a minute and it's free during open beta.
