SecureFlag Findings2Training Plugin for IntelliJ IDEA

SecureFlag Findings2Training Plugin for IntelliJ IDEA

SecureFlag Findings2Training is an IntelliJ IDEA plugin that watches for security issues in your project and automatically recommends the relevant training articles and hands-on practice labs to help you understand and fix them.

Prerequisites

Before installing, make sure you have the following ready:
  1. IntelliJ IDEA 2023.1 or later (or any JetBrains IDE).
  2. A SecureFlag API Access Token.
  3. A security scanner running in your project (e.g., Snyk, SonarQube, etc.).

Installation

  1. Open IntelliJ IDEA.
  2. Navigate to Settings → Plugins.
  3. Click the Marketplace tab.
  4. Type SecureFlag Findings2Training in the search box and click Install.
  5. Restart IntelliJ IDEA when prompted.

Settings

Setting Up Your API Token

For the plugin to authenticate with SecureFlag, you need to generate an API Access Token from the SecureFlag Management Portal.

Generate Your Token

  1. Open the SecureFlag Management Portal.
  2. Navigate to the Settings icon on the top right and click it.
  3. From the API Access Tokens section, generate a token with either Read knowledge base or Full Access scopes.


Add Your Token

  1. Open Settings → Tools → SecureFlag Findings2Training.
  2. Paste your API Access Token into the API access token field.
  3. Click Apply and OK.

That's all the setup you need to get started. The plugin will begin working automatically from this point on.



Configuring a Proxy (Optional)

If your organization routes internet traffic through a proxy server, you'll need to tell the plugin about it so it can reach the SecureFlag API.
  1. Open Settings → Tools → SecureFlag Findings2Training.
  2. Enter your proxy address in the Proxy URL field.

Info
Note: The URL must begin with http:// or https://. If you're unsure of your proxy address, check with your IT or network team.

If you don't use a proxy, leave this field blank.

Usage

Here's how it works behind the scenes:
  1. Your security scanner (e.g., Snyk, SonarQube, etc.) analyzes your code and raises warnings in IntelliJ's Problems tool window.
  2. SecureFlag Findings2Training detects those warnings and sends the issue descriptions to the SecureFlag API.
  3. The API matches each issue to the most relevant training article and practice lab in the SecureFlag library.
  4. The results appear directly in your editor as inline Quick Fix suggestions and in the SecureFlag Findings2Training tool window.

Automatic Analysis

Once you have your API token configured and a security scanner active, the plugin runs on its own.
  1. Whenever security warnings appear in your project, the plugin will pick them up and run an analysis in the background.
  2. The plugin also runs analysis when you open files, switch between files, or start your project.
  3. Analysis happens silently without interrupting your workflow.

Manual Analysis

If you'd like to run an analysis on demand, you can do so at any time:
  1. Go to Tools → SecureFlag Findings2Training: Analyze Security Problems.
  2. Or press Ctrl+Shift+A (Windows/Linux) / Cmd+Shift+A (macOS), type and select SecureFlag Findings2Training: Analyze Security Problems.

After the analysis finishes, the SecureFlag Findings2Training tool window will open on the right sidebar, listing all the security vulnerabilities found in your open files, along with links to relevant training and practice labs.


If no security issues are detected, a notification will confirm that your project looks clean.

Using Quick Fixes in the Editor

For every security warning that the plugin has matched to training content, you'll see a Quick Fix option appear directly in your code editor.

How to use it:
  1. Place your cursor on a line that has a security warning (usually underlined or highlighted by your scanner).
  2. Press Alt+Enter (Windows/Linux) or Opt+Enter (macOS), or click the lightbulb icon (💡) that appears.
  3. You'll see the following options in SecureFlag Findings2Training recommendations.

    Option
    What it does
    View Training: <Vulnerability Name>
    Opens a training article for this specific vulnerability in the SecureFlag Findings2Training tool window.
    Practice Lab: <Vulnerability Name>
    Open a hands-on practice lab in your web browser to practice fixing this type of issue.





IdeaTip: If you don't see these options immediately after a new warning appears, wait a moment for the background analysis to complete, then try again.

Viewing Results

Training Content

When you select View Training from the Quick Fix menu, the training content loads in the SecureFlag Findings2Training tool window on the right side of your IDE, so you can read and code at the same time without switching windows.

The training panel includes:
  1. A full explanation of the vulnerability.
  2. Code examples showing what the issue looks like and how to fix it.


Practice Labs

To open a lab instead, click Practice Lab from the Quick Fix menu. The lab will open in your default web browser.

Troubleshooting

No results are showing up.

  1. Double-check that your API Access Token is entered correctly in Settings → Tools → SecureFlag Findings2Training.
  2. Make sure a security scanner (Snyk, SonarQube, etc.) is installed and producing warnings.
  3. Ensure you have open files with security issues in the editor. The plugin only analyzes open files.
  4. Check your internet connection.
  5. If you're behind a corporate proxy, verify the proxy URL is correct in Settings → Tools → SecureFlag Findings2Training → Proxy URL.

The Quick Fix options aren't appearing on a warning line.

  1. Quick Fix options appear only after the plugin has successfully matched that warning to training content. The plugin analyzes in the background with a short delay (2-3 seconds). Wait for the analysis to complete, then try again.
  2. Verify your API token is configured correctly.
  3. Ensure your cursor is placed on a security warning (highlighted by your security scanner).

Privacy

SecureFlag Findings2Training is designed with your privacy in mind. When analyzing your project, the plugin sends only the text of the security warning messages and the detected programming language to the SecureFlag API.

Your source code is never sent. No file contents, variable names, credentials, or personal information leave your machine.

    • Related Articles

    • SecureFlag Analyzer Plugin for IntelliJ IDEA

      AI-powered vulnerability detection, right in your IDE. Overview The SecureFlag Analyzer plugin integrates with IntelliJ IDEA to deliver real-time security analysis as you code. Powered by advanced LLMs (Anthropic and ChatGPT), it detects potential ...

    • SonarQube Plugin

      Contextual software security training for detected vulnerabilities and Security Hotspots. This plugin lists recent vulnerabilities and security hotspots detected by SonarQube, then attempts to find relevant training labs and remediation advice from ...

    • Shortcut Plugin

      Contextual software security microtraining for Shortcut stories, powered by the SecureFlag Knowledge Base. This plugin adds a link to the SecureFlag Knowledge Base to the description of stories that mention security vulnerabilities, with relevant ...

    • Azure Plugin

      Contextual software security microtraining for issues and pull requests, powered by the SecureFlag knowledge base. This plugin adds a new page to issues that mention security vulnerabilities, with a recommended lab and information from the SecureFlag ...

    • SecureFlag ThreatCanvas for Azure

      Threat model your features with AI-powered tooling. The SecureFlag ThreatCanvas plugin helps you integrate security early in your development lifecycle by automatically generating threat model diagrams from your Azure Boards work item descriptions. ...