🛡️ CodeWode — AI-Powered Security Extension for VS Code

AI-driven static code analysis + CVE dependency audit, powered by OpenAI & Supabase

✨ Features

Feature	Description
🔍 Code Scan	AI-powered analysis for 20+ vulnerability types (OWASP Top 10, CWE)
📦 Dependency Audit	Check npm (`package.json`), pip (`requirements.txt`), NuGet (`.csproj` / `packages.config`) packages against known CVEs
🧠 AI Security Assistant	Ask CodeWode AI any security question with full scan context
🔎 Vector Search	Semantic CVE & pattern search via Supabase `pgvector`
📊 Dashboard	Scan history, security scores, trend analytics
🔔 Diagnostics	Inline VS Code diagnostics with severity, CWE links, fix hints
⌨️ Keybinding	`Ctrl+Shift+S` (Mac: `Cmd+Shift+S`) to scan instantly

⚙️ Configuration Settings

Inside VS Code settings (Ctrl+, or Cmd+,), search for CodeWode to configure these settings:

Setting	Type	Default	Description
`codewode.backendUrl`	`string`	`http://localhost:5000`	Endpoint of the backend API
`codewode.autoScanOnSave`	`boolean`	`false`	Automatically scan active files when they are saved
`codewode.minSeverityToReport`	`string`	`"medium"`	Minimum vulnerability severity to report (`info`, `low`, `medium`, `high`, `critical`)
`codewode.excludePatterns`	`array`	`["/node_modules/", "/.git/", "/dist/", "/build/"]`	Glob patterns to exclude from workspace scanning
`codewode.enableVectorSearch`	`boolean`	`true`	Enable semantic vector search for related CVEs
`codewode.openaiApiKey`	`string`	`""`	Optional: OpenAI API key (stored securely in VS Code secret storage)

🚀 How to Use CodeWode

CodeWode consists of a VS Code Extension (Frontend) and a Node.js/Express Server (Backend) backed by Supabase. There are two ways to run CodeWode:

Option A: Local Development Environment (Run from Source)

If you are developing CodeWode, debugging it, or running it fully from the source code, follow these steps:

1. Setup Backend Environment Variables

Create a .env file in the backend/ directory based on the backend/.env.example template:

PORT=5000
HOST=0.0.0.0

# Supabase database config (Settings -> API in Supabase console)
SUPABASE_URL="https://xxx.supabase.co"
SUPABASE_ANON_KEY="your-supabase-anon-key"
SUPABASE_SERVICE_ROLE_KEY="your-supabase-service-role-key"

# AI Service
AI_PROVIDER=openai
AI_API_KEY="sk-your-openai-api-key"
AI_MODEL="gpt-4o-mini"
AI_BASE_URL="https://api.openai.com/v1" # (Optional: Support OpenAI-compatible endpoints)

# NVD API
NVD_API_KEY="your-nvd-api-key" # (Optional: For fetching live CVE entries if not cached locally)

2. Apply Database Migrations (Supabase)

CodeWode uses Supabase's pgvector extension for semantic searches. Apply the migrations inside the supabase/migrations/ folder:

Automatic Migration:
```
cd backend
npm install
npm run migrate
```
Manual Migration: Go to your Supabase SQL Editor and run these SQL migration scripts in order:
1. supabase/migrations/001_cve_table.sql
2. supabase/migrations/002_scan_history.sql
3. supabase/migrations/003_vector_embeddings.sql

Once migrated, seed vulnerability pattern embeddings:

cd backend
node src/scripts/seedEmbeddings.js

3. Run with start.bat (Windows)

For convenience, you can use the automated bootstrap script located in the project root: Double-click start.bat or run it from a PowerShell/CMD terminal:

.\start.bat

This script will automatically:

Install backend dependencies (npm install inside backend/).
Check if Port 5000 is free and launch the backend server in a separate window (npm run dev).
Install extension dependencies (npm install inside extension/).
Compile the TypeScript code (npm run compile).

4. Run Manually / Launch in Debug Mode

To run manually without start.bat:

Start Backend API:
```
cd backend
npm install
npm run dev
```

Build Extension:

cd extension
npm install
npm run compile  # or 'npm run watch' for continuous building

Launch Extension Development Host:
1. Open the extension folder in a new VS Code window.
2. Press F5 (or go to Run and Debug -> Run Extension).
3. A new [Extension Development Host] window will open with CodeWode loaded.

Option B: Published Store Version (Downloaded from VS Code Marketplace)

If you downloaded the compiled version from the VS Code Extension Store, you only have the frontend extension package. To use it, you must link it to a CodeWode backend server. You can choose one of the following methods:

Method 1: Connect to a Shared/Hosted Backend (Standard Team Setup)

If your organization or team has already set up and hosted a CodeWode backend server:

Open VS Code settings (Ctrl+, or Cmd+,).
Search for codewode.backendUrl.
Set the URL to your hosted server's URL (e.g., https://codewode.api.internal).
CodeWode will connect immediately and is ready to scan.

Method 2: Connect to a Local Backend Server (Standard Private Setup)

If you want to keep your scans private, you can run a local instance of the backend:

Clone the repository or download the backend/ and supabase/ folders.
Complete the steps in Option A (Steps 1 & 2) to set up your environment variables (.env) and apply migrations to your Supabase instance.
Start the local server:
```
cd backend
npm install
npm start
```
Keep the backend running on http://localhost:5000. By default, the published extension will search for a backend on http://localhost:5000 and connect to it automatically.

🛠️ Usage Instructions

Once CodeWode is active (visualized by a $(shield) CodeWode status bar item at the bottom left):

Scan Current File:
- Open any file (JavaScript, TypeScript, Python, Java, C#, C/C++, Go, Rust, PHP, Ruby, Swift, Kotlin).
- Press Ctrl+Shift+S (Mac: Cmd+Shift+S).
- Or click the $(shield) CodeWode status bar item.
- Or right-click in the editor and choose CodeWode: Scan Current File.
- Inline squiggly diagnostics will appear next to vulnerable lines.
Audit Project Dependencies:
- Open a project containing package.json, requirements.txt, or .csproj files.
- Open the command palette (Ctrl+Shift+P) and select CodeWode: Audit Dependencies.
- Vulnerable dependencies and their CVE details will appear in the Dependency Audit tab in the sidebar.
AI Security Assistant Chat:
- Click on the shield icon in the Activity Bar to open the CodeWode sidebar.
- Select the comment bubble icon ($(comment-discussion)) or run CodeWode: Open AI Security Assistant from the command palette.
- Chat with the AI helper to get explanations or refactoring instructions for vulnerabilities.
Security Dashboard:
- Open the sidebar, select the graph icon ($(graph)) or run CodeWode: Open Dashboard.
- View your workspace security grade, historic trends, and vulnerability counts.

🗂️ Project Structure

vscodeExtension/
├── backend/                # Node.js/Express API
│   ├── src/
│   │   ├── index.js        # Server entry point
│   │   ├── config/         # Supabase clients (Admin and Anon)
│   │   ├── routes/         # API routes (scan, cve, chat)
│   │   ├── services/       # OpenAI, CVE, vector search
│   │   └── scripts/        # Migrate and seed scripts
│   └── .env.example        # Environment variables template
│
├── extension/              # VS Code Extension (TypeScript)
│   ├── src/
│   │   ├── extension.ts    # Main activation
│   │   ├── api/            # Backend HTTP client (BackendClient)
│   │   ├── commands/       # Scan, audit, chat, dashboard commands
│   │   ├── providers/      # Tree views, diagnostics, webview providers
│   │   └── utils/          # Helpers
│   └── media/              # Icons, webview assets
│
└── supabase/
    └── migrations/         # SQL migrations (pgvector, tables, functions)

🛠️ Tech Stack

Extension: TypeScript, VS Code Extension API
Backend: Node.js, Express, OpenAI SDK
Database: Supabase (PostgreSQL + pgvector)
AI: OpenAI GPT-4o-mini (code analysis + chat)
CVE Data: NVD API + local Supabase cache
Vector Search: Supabase pgvector (text-embedding-3-small)

Coderwodar – AI Security Scanner

Abdul Mateen Qamar