IDE Integration
Visual Studio Code Extension¶
Scan is full integrated with Visual Studio Code IDE via its own native extension. Use this extension to perform security scans and visualize the scan results without leaving your IDE. You can also navigate to the source code and remediate the results by interacting with the scan results.
Features¶
- One-click security scanning (SAST based scanning)
- Navigation to the source location of the result
- Scan Results shows details about the result:
- Result info
- Run info
- Code flow steps
- Attachments
- Fixes
- macOS touch bar support
Results Viewer¶
- Automatically launches after performing a scan or when the workspace contains .sarif files in reports directory
- Updates the Result Details Panel with the currently selected result in the Results List, Problems Panel, or in source code
- Manually open it by typing "Scan: View Results" in the Command Palette(Ctrl+P or ⌘+P) or using the hotkey (Ctrl+L then Ctrl+E)
Install¶
- Install or upgrade Visual Studio Code. Requires version 1.41.0 or higher.
- Open up the extensions tab (Ctrl + Shift + X) and search for "Scan". Click "Install"
- Alternatively, Quick Open (Ctrl + P)m paste the follwing command
ext install shiftleftsecurity.shiftleft-scan
and press enter. - Reload VS Code
- Install Docker Desktop for performing Scan
Use¶
- Perform a Scan by using the
Perform Security Scan
option in the results window. Or in the Command Palette (Ctrl+Shift+p or ⌘+⇧+p) type "Scan: Security Scan" or use the hotkey (Ctrl+l then Ctrl+p) - Results will show up on the Scan Findings panel
- Click the result you're investigating. The editor will navigate to the location
Monorepo support¶
While working with large monorepo based repositories, configure the application root to limit the scanning to specific application directories. To do this, go to Preferences and search for "Scan". Specify the App Root
as shown below:
Note
This configuration can be specified for either the user or for the workspace. To set it for a particular workspace, choose the Workspace
tab in the above settings screen.
Troubleshooting¶
- VS Code version should be 1.41.0 or higher for the extension to install and work
- The user should be part of the
docker
group on Linux and Mac. Please refer to the post install steps for your platform. Example below for linux.
sudo groupadd docker
sudo usermod -aG docker $USER
Warning
Internet connectivity is required while loading the results for the first time. You might see the below error otherwise.
Unable to load schema from 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json': getaddrinfo ENOTFOUND raw.githubusercontent.com.