The PT Application Inspector plugin finds vulnerabilities and undocumented features in application source code. In addition to code analysis, built-in modules detect errors in configuration files and vulnerabilities in third-party components and libraries used in application development. The plugin supports the following languages: C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, SQL, Solidity, TypeScript, C/C++, Objective-C, and Swift.
Note. The scanning of projects in C/C++ and Objective-C is not supported in macOS.
You can enable or disable the plugin in an open project by clicking the icon in the bottom right toolbar. If it is not the first time you are opening the project, the plugin is enabled automatically (scan and action history is saved). You can also set up the plugin to be automatically enabled when a new project is opened.
When the plugin is enabled, the .ai folder is created in the project. This folder contains a database, log files, and a configuration file. For Git to ignore the .ai folder, create an empty file .gitignore in the project folder.
For the plugin to operate correctly, the PT Application Inspector code analyzer is required. You can install it automatically by clicking Download Analyzer in the pop-up notification in the IntelliJ IDEA interface or manually by downloading it from the link in the instructions below.
To manually install the code analyzer:
-
Download the archive with the analyzer using one of the links:
-
In macOS, run the following command to remove the
com.apple.quarantineattribute:xattr -d com.apple.quarantine <analyzer_file_path.pkg>
Then run the installation file and follow the instructions.
-
In Windows and Linux, unpack the archive to one of the following locations:
-
In Windows:
%LOCALAPPDATA%\Application Inspector Analyzer -
In Linux:
~/application-inspector-analyzer
-
You can start a project scan in the following ways:
- By clicking the Scan button.
- By clicking Scan Options → Full Local Scan.
- By saving project changes (if you selected On saving for the Trigger scan setting).
The scan progress is displayed in the bottom panel and in the Log tab of the PT Application Inspector panel. The first scan usually takes longer due to the initial load on the database of vulnerable components.
Scans are performed based on the default settings. You can change these settings in the .aiproj.json configuration file. To create the aiproj.json file, in the File menu, select New → Aiproj file.
To exclude files or folders from scanning, use the .aiignore file. To create the .aiignore file, in the File menu, select New → Aiignore file. The syntax of this file is similar to the .gitignore syntax. For more information, see git-scm.com/docs/gitignore. You can also use the SkipGitIgnoreFiles setting in the .aiproj.json file to exclude from scanning files and folders from the .gitignore file. By default, this setting is enabled.
To stop a project scan, click Stop scan in the PT Application Inspector panel or close the progress bar in the bottom toolbar.
You can find the list of all detected vulnerabilities on the Detected Vulnerabilities tab of the PT Application Inspector panel. If you click a vulnerability in the list, the line with its exit point gets highlighted in the code editor. If the system detected vulnerabilities that are not included in the code analyzer database, they are marked with the ? tag. Second-order vulnerabilities are marked with the 1>2 tag.
The Description tab contains the vulnerability description with example attack scripts, fix recommendations, and links to references.
The [PT AI] Vulnerability Details panel displays additional information about the vulnerability. The Data Flow tab contains a data-flow diagram that shows how each process converts its input data to output data and how processes interact. Data-flow diagrams consist of the following sections:
- Entry point. A point where data flow analysis starts.
- Data entry point. A file and code line where untrusted data enter the program.
- Data changes. The description of one or several functions that modify potentially harmful input data. This section may not be displayed on the diagram if the input data were not modified.
- Exit point. The execution line of a potentially vulnerable function. This is the exit point related to the vulnerability in the source code.
You can go to the corresponding place in the code editor from any section of the data-flow diagram.
For vulnerabilities detected in Solidity applications using the Pygrep core, the Metavariables tab is displayed in the card instead of the Data flow tab. When scanning a project, the Pygrep core uses rules from the PT AI Enterprise Edition knowledge base or custom rules, the path to which is specified in the Solidity language settings. Each rule contains templates describing metavariables and regular expressions for finding these metavariables. A vulnerability is considered to be found if there are lines of code in which a regular expression corresponding to a metavariable is triggered.
The Exploit tab contains a test HTTP request that can be used to exploit the vulnerability in a deployed web application. You can automatically generate an exploit by clicking Generate Exploit.
Note. To exploit a vulnerability, specify the address of the host where your web application is deployed in the .aiproj.json file. The default value is "localhost."
Note. This feature is available in commercial versions of JetBrains IDE.
Some vulnerabilities have additional exploitation conditions displayed in the Additional Conditions tab.
When you scroll through the sections of the diagram, the vulnerability information is automatically pinned until you move on to another vulnerability. If you want to view the information about a certain vulnerability while working on the code, you can pin this vulnerability manually.
Several vulnerabilities can have the same exit point. If these vulnerabilities belong to the same type, they are grouped together and displayed as one problem with different exploitation options. You can view detailed information about such vulnerabilities in the [PT AI] Vulnerability Details panel.
Note. If you confirm one vulnerability from the group, the whole problem will be confirmed automatically. To discard an entire problem, you must discard all the vulnerabilities in the group.
The PT Application Inspector plugin contains a set of tools for managing detected vulnerabilities. With these tools, you can do the following:
- Filter vulnerabilities by severity, status, and suppression from scan results by clicking the eye button.
- Confirm and discard vulnerabilities by clicking Confirm or Discard on the [PT AI] Vulnerability Details panel.
- Confirm, discard, and suppress vulnerabilities in their context menu in the code editor. There you can also perform group actions on all vulnerabilities in the file. For example, click Confirm vulnerability → Fix all code vulnerabilities in the file.
- Manage the statuses of several vulnerabilities by selecting them in the Detected Vulnerabilities tab and changing the status using the corresponding button.
If a large number of vulnerabilities is detected during project scanning, you can sort them out much faster using the assistant function. The assistant gives recommendations in the following order:
- Confirm vulnerabilities that have an exploit
- Discard vulnerabilities with a detected filtering function
- Confirm or discard a group of vulnerabilities similar in type or vulnerable code
- Review vulnerability statuses assigned manually by the user

- Maximum number of tokens in one recommendation (the number of tokens in the same text may vary between models)
For the correct operation of the PT Application Inspector plugin, the following technical requirements must be met:
- JetBrains IDE (PhpStorm, IntelliJ IDEA, WebStorm) 2025.1 or later
- 8 GB RAM
- 5 GB of free hard drive space
Supported 64-bit OS:
- Debian 11 Bullseye or later
- Fedora Workstation 38 or later
- OpenSUSE Leap 15.5 or later
- Ubuntu 22.04 LTS or later
- Ubuntu 23.04 or later
- Windows 11
- ALT Linux OS in the test mode
Supported macOS:
- Big Sur 11.5 or later
- Monterey 12.0.0 or later
If you have any questions about the plugin, follow the links in the Help & Feedback section on the plugin configuration page to get the necessary information, join our community, or report an issue.
By default, the PT Application Inspector plugin collects anonymous telemetry. This allows our specialists to improve the stability and performance of the product. They can optimize resource consumption and speed up scanning, find and fix errors across different IDE versions more quickly, and understand which features are used most often to improve the user experience.
Only technical metrics (interaction events, environment settings, and the main scanning settings) for the plugin and IDE are sent. Source code, credentials, tokens, and project contents are completely excluded. All data is transmitted over a secure HTTPS channel, processed anonymously, and not shared with third parties. It does not contain any confidential information.
If you do not want to participate in telemetry collection, disable the Allow telemetry collection setting. Changes take effect immediately, without restarting the IDE.













