Architecture

Three-layer plugin architecture: heimdall_infra provides the static AWS compute and storage layer; heimdall_task defines dynamic scanner task implementations stored in an S3-backed plugin registry; and heimdall_orchestrator discovers plugins at runtime, provisions ECS task definitions on demand, and streams real-time results to the UI. Multi-tenant via PostgreSQL schema isolation and S3 ABAC.

Case study

Heimdall Security Suite

Multi-tenant security scanning platform — production at codecheck.dev.

Heimdall is a plugin-based security orchestration platform that unifies findings from 15+ open-source scanner engines (Syft, Grype, Trivy, GHSA, NVD, Semgrep, Nikto, Nuclei, OWASP Dependency-Check, sqlmap, ZAP, Libraries.io, and others) into a single coherent workflow. It scales securely across teams with credit-based billing, real-time result streaming, and a 44-language UI.

Heimdall is the source-of-truth product suite; CodeCheck.dev is its deployed public face.

Architecture — three layers, three roles

Heimdall is organised across multiple repositories that fall into a clean three-layer plugin architecture:

heimdall_ui — Next.js 15 dashboard

The user-facing layer. Modular plugin-based dashboard built on Turborepo, Next.js 15, and React 19. SBOM analysis, compliance reporting, vulnerability triage, real-time scan progress via SSE. Localized into 44 languages.

heimdall_orchestrator — Temporal-driven workflow engine

The brain. FastAPI control plane plus Temporal for durable workflow orchestration. Discovers plugin tasks at runtime, provisions ECS Fargate task definitions just-in-time, routes GitHub events to scanner workflows without hardcoding tasks, and tracks scan cost per tenant against heimdall_credits.

heimdall_task — pluggable scanner runtime

The execution layer. A base library every scanner task is built on: async AWS operations, caching, multi-runtime support, manifest-based plugin discovery via an S3-backed plugin registry. Adding a new scanner is a YAML manifest plus a container image — no orchestrator code changes.

Supporting components

• heimdall_infra — AWS CDK for the static compute/storage layer (ECS Fargate Spot for 70% cost savings, S3, RDS PostgreSQL, Kinesis for streaming)
• heimdall_credits — PropelAuth + Stripe credit management, usage tracking, business analytics
• heimdall_integrations — Pluggable framework for third-party services (GitHub, Slack, AWS, SonarQube)
• heimdall_build — ECR-optimised multi-stage Docker builds
• heimdall-aegis — Automated API key rotation across cloud, AI, and SaaS providers

What ships today

• 15+ scanner engines running in parallel per phase
• Multi-tenant via PostgreSQL schema isolation and S3 ABAC policies
• Cost-optimized ECS Fargate Spot saves ~70% vs On-Demand
• Real-time results streamed via Kinesis to the dashboard
• CycloneDX VEX + OSV JSONL outputs for downstream consumers
• OpenTelemetry observability end to end
• Comprehensive cost tracking per tenant per scan

Status

Production. Deployed at codecheck.dev as the public-facing brand. Active development across the entire suite.

Tech stack