IDE Setup

Vekt ships a Language Server Protocol (LSP) server -- vekt-lsp -- that provides supply chain diagnostics inside any LSP-compatible editor. When you open a supported manifest file (package.json, Cargo.toml, pyproject.toml, etc.), the LSP checks your declared dependencies and surfaces findings as inline diagnostics.

Table of contents

• What the LSP provides
• Install vekt-lsp
• VS Code, VSCodium, Windsurf, Cursor
• Neovim
• Zed
• Helix
• Sublime Text
• JetBrains (IntelliJ, PyCharm, WebStorm)
• Emacs
• Settings reference

---

What the LSP provides

• Diagnostics -- inline squiggles on dependency declarations with findings. Malicious packages appear as errors; vulnerabilities as warnings; security-holders as informational hints.
• Hover info -- hover over a package name to see a summary of all findings, including advisory IDs and links.
• Code actions -- where a fixed version is available, a quick-fix action offers to update the version constraint.
• On-save scanning -- the LSP scans when you open or save a file. It does not scan on every keystroke.

Supported manifest files for LSP diagnostics:

package.json, Cargo.toml, pyproject.toml, requirements.txt, go.mod, Gemfile, composer.json, pubspec.yaml, mix.exs, cabal.project, rebar.config

Note: The LSP operates on manifest files (which declare your direct dependencies), not lockfiles. For lockfile scanning, use vekt scan from the CLI.

---

Install vekt-lsp

The LSP binary must be in your PATH before configuring your editor.

# Download prebuilt binary
curl -Lo vekt-lsp https://kief.dev/vekt/releases/latest/vekt-lsp-linux-x86_64
chmod +x vekt-lsp
mv vekt-lsp ~/.local/bin/vekt-lsp

# Or build from source
cargo install vekt-lsp

Verify:

vekt-lsp --version

Set your API key so the LSP can make authenticated requests:

vekt auth set vkt_live_xxxxxxxxxxxxxxxxxxxx

The LSP reads the key from ~/.config/vekt/config.toml, which is the same location used by the CLI.

---

VS Code, VSCodium, Windsurf, Cursor

Install the Vekt extension from the marketplace:

• VS Code: marketplace.visualstudio.com
• VSCodium: Available in the Open VSX Registry
• Windsurf and Cursor: Install from the VS Code-compatible extension marketplace in your editor

The extension bundles vekt-lsp -- you do not need to install the binary separately.

Settings (in settings.json or the Settings UI):

{
  "vekt.apiKey": "vkt_live_xxxxxxxxxxxxxxxxxxxx",
  "vekt.severity.minimum": "warning",
  "vekt.codeLens.enabled": false,
  "vekt.scan.onSave": true
}

Setting	Type	Default	Description
vekt.apiKey	string	""	API key. If empty, falls back to VEKT_API_KEY env var and then the config file.
vekt.severity.minimum	string	"warning"	Minimum severity to show diagnostics: "error", "warning", "information", "hint"
vekt.codeLens.enabled	boolean	false	Show inline code lens with finding counts above dependency blocks
vekt.scan.onSave	boolean	true	Trigger a scan on file save

---

Neovim

Requires nvim-lspconfig.

Add the following to your Lua config:

local lspconfig = require('lspconfig')
local configs = require('lspconfig.configs')

-- Register vekt-lsp if it doesn't already exist
if not configs.vekt then
  configs.vekt = {
    default_config = {
      cmd = { 'vekt-lsp' },
      filetypes = {
        'json',      -- package.json
        'toml',      -- Cargo.toml, pyproject.toml
        'python',    -- requirements.txt
        'go',        -- go.mod
        'ruby',      -- Gemfile
      },
      root_dir = lspconfig.util.root_pattern(
        'package.json', 'Cargo.toml', 'pyproject.toml',
        'requirements.txt', 'go.mod', 'Gemfile'
      ),
      settings = {
        vekt = {
          severity = { minimum = 'warning' },
          scan = { onSave = true },
        },
      },
    },
  }
end

lspconfig.vekt.setup({})

If you use mason.nvim, you can install vekt-lsp through Mason once the package is registered there. Until then, ensure the binary is in your PATH.

---

Zed

Add a language server entry to your Zed settings (~/.config/zed/settings.json):

{
  "lsp": {
    "vekt": {
      "binary": {
        "path": "vekt-lsp"
      },
      "settings": {
        "vekt": {
          "severity": {
            "minimum": "warning"
          }
        }
      }
    }
  }
}

And register it as a language server for the relevant file types in your extension.toml if you are developing a Zed extension, or via the built-in LSP configuration otherwise.

---

Helix

Add the following to ~/.config/helix/languages.toml:

[[language]]
name = "json"
language-servers = ["vekt-lsp"]

[[language]]
name = "toml"
language-servers = ["vekt-lsp"]

[language-server.vekt-lsp]
command = "vekt-lsp"

To limit diagnostics to a minimum severity, pass the flag at startup:

[language-server.vekt-lsp]
command = "vekt-lsp"
args = ["--min-severity", "warning"]

---

Sublime Text

Install the LSP package from Package Control, then install LSP-vekt.

If LSP-vekt is not yet available in Package Control, configure it manually by adding the following to your LSP settings (Preferences > Package Settings > LSP > Settings):

{
  "clients": {
    "vekt": {
      "enabled": true,
      "command": ["vekt-lsp"],
      "selector": "source.json, source.toml, source.python, source.ruby, source.go",
      "settings": {
        "vekt": {
          "severity": {
            "minimum": "warning"
          }
        }
      }
    }
  }
}

---

JetBrains (IntelliJ, PyCharm, WebStorm)

Install the LSP4IJ plugin from the JetBrains Marketplace (search for "LSP4IJ").

After installing the plugin, navigate to Settings > Languages & Frameworks > Language Servers and add a new server:

• Name: Vekt
• Command: vekt-lsp
• File name patterns: package.json, Cargo.toml, pyproject.toml, requirements.txt, go.mod, Gemfile, composer.json

For configuration, add an initialization options block:

{
  "vekt": {
    "severity": {
      "minimum": "warning"
    },
    "scan": {
      "onSave": true
    }
  }
}

---

Emacs

Using eglot (built-in, Emacs 29+)

(with-eval-after-load 'eglot
  (add-to-list 'eglot-server-programs
               '((js-mode js-ts-mode json-mode) . ("vekt-lsp")))
  (add-to-list 'eglot-server-programs
               '((toml-mode toml-ts-mode) . ("vekt-lsp")))
  (add-to-list 'eglot-server-programs
               '((python-mode python-ts-mode) . ("vekt-lsp"))))

Using lsp-mode

(with-eval-after-load 'lsp-mode
  (lsp-register-client
   (make-lsp-client
    :new-connection (lsp-stdio-connection "vekt-lsp")
    :activation-fn (lsp-activate-on "package.json" "Cargo.toml" "pyproject.toml"
                                     "requirements.txt" "go.mod" "Gemfile")
    :server-id 'vekt-lsp
    :priority -1)))

---

Settings reference

These settings are recognized by vekt-lsp regardless of which editor you use. Pass them in the initializationOptions or settings block depending on your editor's LSP client.

Setting	Type	Default	Description
vekt.apiKey	string	""	API key for authenticated requests. Falls back to VEKT_API_KEY environment variable and then the CLI config file.
vekt.severity.minimum	string	"warning"	Minimum severity level to report as diagnostics. Accepts "error", "warning", "information", "hint". Malicious packages always appear at "error" regardless of this setting.
vekt.codeLens.enabled	boolean	false	Display code lens annotations above dependency blocks summarizing finding counts.
vekt.scan.onSave	boolean	true	Scan the document each time it is saved. Disable to scan only on open.