meterian.com

What it is

Meterian is an open-source software supply chain security platform from UK-based Meterian Ltd. Its core focus is open-source vulnerability scanning, software composition analysis (SCA), and license compliance management. The product lineup includes repository scanning with BOSS, container scanning with BOSSC, IaC scanning with ISAAC, the KIWI vulnerability data source, the HEIDI IDE plugin, and the SASHA SAST tool. It is aimed at development, DevSecOps, application security, quality, and risk management teams.

Core capabilities

In terms of protection coverage, Meterian addresses dependency vulnerabilities, outdated components, license risks, container image risks, IaC configuration issues, and static source-code defects. Its SCA reports can generate SBOMs, license and copyright attribution, and upgrade paths, with output formats including HTML, JSON, PDF, and Console. SASHA also provides SARIF output, making it easier to integrate with ecosystems such as GitHub Code Scanning and Azure DevOps. The HEIDI plugin can scan manifest files in IDEs such as VS Code, JetBrains, Cursor, and Windsurf, and integrates with AI coding assistants and MCP, with an emphasis on catching issues early in development.

Deployment, management, and integrations

Meterian’s main scanning capabilities can be integrated into virtually any CI/CD pipeline, with the source text mentioning scenarios such as GitHub Actions, GitLab CI, Jenkins, and Azure DevOps. A key selling point is privacy protection: SCA and HEIDI do not require source code to be uploaded, typically processing only dependency manifests or structured findings. SASHA also states that source-code analysis remains within the local environment. The KIWI vulnerability database can be deployed locally, supports offline use, can be updated daily or more frequently, and provides an unlimited-call API, making it suitable for integration into internal security platforms.

Pricing and limitations

Pricing information is incomplete. The page only shows a Free plan, Enterprise Trial, Book a demo, and HEIDI’s Free / Premium model; no specific prices were captured. In terms of compliance certifications, the source text does not disclose third-party certifications such as SOC 2 or ISO 27001. Another limitation is that SASHA’s language support is still being expanded: the source text states that Node.js and .NET are fully available, while other languages are being rolled out gradually.

Who it is for and access from China

Meterian is suitable for mid-sized to large engineering teams that need continuous governance of open-source dependencies, containers, and IaC risks within CI/CD, and that care about SBOMs, license compliance, and keeping source code in-house. The free version of HEIDI is also suitable for lightweight developer trials. Access from mainland China, payment methods, and local support are not clearly stated, so china_access can only be rated as unknown. If localized procurement or network stability in China is required, alternatives such as Snyk, Mend, Sonatype, GitHub Advanced Security, Checkmarx, Veracode, Semgrep, and JFrog Xray may also be worth evaluating.