Secure Review
Secure Review is a VS Code extension and local CLI for static secure code review, dependency review, and Docker-based dynamic web security testing.
It is designed to help developers and security teams scan local repositories or Bitbucket-hosted repositories without needing to manually stitch together multiple tools.
What You Can Do With It
- Run static workspace scans inside VS Code
- Scan the currently open file
- Review findings in a dedicated activity bar view
- See inline diagnostics in the editor
- Open a report webview with summaries, evidence, and remediation guidance
- Export findings as DOCX from the extension
- Run the same engine from the terminal with the
secure-review CLI
- Scan Bitbucket repositories directly by URL
- Enrich results with local tools such as
semgrep, eslint, bandit, pip-audit, gosec, cppcheck, and others when available
- Run OWASP ZAP dynamic scans against developer-controlled local or test web applications
Key Capabilities
Static review
Secure Review combines built-in rule packs, repository heuristics, optional external tools, and stack-aware checks.
It covers areas such as:
- hard-coded secrets and credentials
- weak cryptography usage
- command execution risks
- injection-style patterns
- auth and authorization issues
- dependency and supply-chain risks
- configuration and infrastructure risks
- testing gaps
- reliability, maintainability, and performance smells
Dynamic review
Secure Review can launch OWASP ZAP through Docker and run:
- baseline scans for passive checks
- full scans for active testing
- API-focused scans using an API definition URL when available
Dynamic findings are grouped and normalized into the same reporting model used by static scans.
CLI agent
The secure-review CLI supports:
- local repository inspection
- bootstrap planning for scanner tools
- local path scans
- Bitbucket repository scans by HTTPS or SSH URL
- optional report export
- optional dynamic scan integration
Installation
Option 1: Install From Visual Studio Marketplace
- Open VS Code.
- Open the Extensions view.
- Search for
Secure Review.
- Click
Install.
Option 2: Install From VSIX
If you have a packaged .vsix file:
- Open VS Code.
- Open the Extensions view.
- Choose
Extensions: Install from VSIX...
- Select the
.vsix file.
If you are packaging the extension from source:
npm install
npm run verify
npm run package
This creates a .vsix package in the repository root.
Option 3: Install The CLI
From npm:
npm install -g secure-review-extension
Then run:
secure-review help
If you are using the source repository locally:
npm install
npm link
secure-review help
Quick Start In VS Code
- Open a project folder in VS Code.
- Open the Command Palette.
- Run
Secure Review: Scan Workspace.
- Open the
Secure Review activity bar view to inspect findings.
- Run
Secure Review: Open Review Report to see the in-editor report.
- Run
Secure Review: Export Findings Report to create a DOCX report.
Available extension commands:
Secure Review: Check Workspace RequirementsSecure Review: Scan WorkspaceSecure Review: Scan Current FileSecure Review: Dynamic Scan Local AppSecure Review: Open Review ReportSecure Review: Export Findings ReportSecure Review: Clear FindingsSecure Review: Ignore Finding
Quick Start In The CLI
Inspect a local repository:
secure-review inspect /path/to/repo
Inspect a Bitbucket repository:
secure-review inspect https://bitbucket.org/workspace/repository
See which optional scanner tools are recommended:
secure-review bootstrap /path/to/repo
Run a scan:
secure-review scan /path/to/repo --severity medium
Export HTML output:
secure-review scan /path/to/repo --format html --out review.html
Export DOCX output:
secure-review scan /path/to/repo --format docx --out review.docx
Run a scan against a Bitbucket repository without cloning it manually:
secure-review scan git@bitbucket.org:workspace/repository.git --severity medium
CLI Commands
inspect
Displays detected languages, frameworks, and recommended scanner tools for:
- a local workspace path
- a Bitbucket repository URL
- a Bitbucket browser URL with
/src/<branch>/
- a Bitbucket SSH clone URL
Examples:
secure-review inspect /path/to/repo
secure-review inspect https://bitbucket.org/acme/payments-service
secure-review inspect https://bitbucket.org/acme/payments-service/src/main/
secure-review inspect git@bitbucket.org:acme/payments-service.git
bootstrap
Prints the install plan for matching scanner tools. With --run, Secure Review executes the supported install commands when possible.
Examples:
secure-review bootstrap /path/to/repo
secure-review bootstrap /path/to/repo --run
secure-review bootstrap git@bitbucket.org:acme/payments-service.git
scan
Runs static review, optional dynamic review, and optional report export.
Examples:
secure-review scan /path/to/repo --severity low
secure-review scan /path/to/repo --severity high --format json --out findings.json
secure-review scan /path/to/repo --format html --out review.html
secure-review scan /path/to/repo --format docx --out review.docx
secure-review scan https://bitbucket.org/acme/payments-service/src/release-1.2/ --severity medium
secure-review scan git@bitbucket.org:acme/payments-service.git --branch main --severity medium
Bitbucket Repository Support
Secure Review can scan repositories that are not already present on the local machine.
Supported inputs:
https://bitbucket.org/workspace/repohttps://bitbucket.org/workspace/repo/src/main/git@bitbucket.org:workspace/repo.git
Behavior:
- the repository is cloned to a temporary directory
- the requested branch is resolved automatically when possible
- the scan runs against that temporary workspace
- the temporary clone is cleaned up after the scan
Tips:
- use SSH URLs for private repositories if SSH access is already configured
- use
--branch <name> to override the branch when the URL does not specify one
Dynamic Scan Usage
Dynamic scanning is intended only for applications and endpoints you control.
Requirements:
- Docker installed and running
- a reachable local or test web application
- a configured target URL
Example local app:
PORT=3001 node sample-workspace/dev-server.js
CLI example:
secure-review scan /path/to/repo \
--dynamic-url http://127.0.0.1:3001 \
--dynamic-mode baseline
API scan mode example:
secure-review scan /path/to/repo \
--dynamic-url http://127.0.0.1:3001 \
--dynamic-mode api \
--dynamic-api-url http://127.0.0.1:3001/openapi.json
Dynamic scan modes:
baseline: passive checks and safer first passfull: active testing for controlled targets onlyapi: API-oriented scan using a provided definition URL
Typical dynamic findings include:
- missing security headers
- cookie security issues
- information disclosure
- reflected or stored attack candidates surfaced by ZAP
- transport and response hardening issues
What Secure Review Checks
Secure Review blends several scan styles into one findings model.
Built-in static rules
- secrets and credentials
- dangerous sinks such as shell execution, HTML injection, and weak crypto
- auth and authorization patterns
- framework-aware checks
- code quality and maintainability warnings
Repository heuristics
- dependency hygiene and supply-chain risks
- runtime and environment configuration concerns
- Docker, Kubernetes, Terraform, and compose issues
- package-manager and deployment misconfiguration
When the relevant tools are installed locally, Secure Review can enrich results using:
semgrepeslintnpm auditbanditpip-auditspotbugsgosecgovulncheckcargo-auditclippycppcheckbrakemanphpstan.NET package vulnerability checks
Findings include richer classification so the output is more honest and easier to review manually. Depending on the engine and evidence, findings may be classified as:
- likely vulnerabilities
- runtime vulnerabilities
- dependency risks
- contextual warnings
- recommendations
They may also include evidence strength, origin, and a manual-review recommendation flag.
Default Scan Exclusions
To reduce noise and improve performance, Secure Review skips common dependency and build folders by default, including:
.gitnode_modules.venvvenvenvvendordistbuildtargetcoverage__pycache__
This helps the scanner stay focused on project code rather than vendored packages and generated artifacts.
Report Output
In VS Code
The extension can export findings as a DOCX report.
The export flow prompts for:
- project name
- report date
- scan type
- optional notes
The report includes:
- executive summary
- severity summary
- findings by category
- findings by review domain
- severity-grouped overview
- detailed findings with evidence and remediation guidance
- recommendations summary
- methodology, limitations, and scan configuration
In The CLI
The CLI supports:
- plain terminal output
jsonhtmlmddocx
Examples:
secure-review scan /path/to/repo --format json --out findings.json
secure-review scan /path/to/repo --format html --out review.html
secure-review scan /path/to/repo --format md --out review.md
secure-review scan /path/to/repo --format docx --out review.docx
If you want deeper language-specific coverage, you can inspect or bootstrap recommended local tools before running a scan.
From the repository source:
npm run bootstrap:tools
To execute supported install commands:
npm run bootstrap:tools:run
The bootstrap flow is best-effort:
- it detects the languages and frameworks present in the target workspace
- it recommends matching external tools
- it runs only supported install paths
- some tools may still require manual installation depending on the operating system and package manager
Security And Privacy Notes
- Static scans operate on the repository or workspace you explicitly choose.
- Dynamic scans use OWASP ZAP through Docker and should only target developer-controlled local or test applications.
- Secure Review is designed to work locally and does not require a remote analysis service.
- External tool integrations run only when the corresponding tools are available on the machine.
Troubleshooting
No findings appear
- Lower the minimum severity threshold.
- Confirm excluded globs are not hiding the relevant files.
- Check whether built-in rules or external tool integrations are disabled.
Dynamic scan fails
- Confirm Docker is installed and running.
- Confirm the target app is reachable from Docker.
- Start with
baseline mode before trying full.
A Bitbucket scan fails on a private repository
- Prefer an SSH URL such as
git@bitbucket.org:workspace/repo.git
- or configure HTTPS access with the appropriate Bitbucket credentials
The editor shows too many problem decorations
- Run
Secure Review: Clear Findings
- or disable VS Code problem decorations if you only want to hide the visual markers
A CLI scan seems stuck
- use the progress output to see which tool is running
- increase or lower
--tool-timeout-ms depending on the workspace size and installed tools
- verify that optional tools such as
semgrep or bandit are installed and working independently
Developing From Source
If you want to test the extension from source:
- Clone the repository.
- Run
npm install.
- Press
Fn + F5 in VS Code, or launch Run Secure Review Extension from Run and Debug.
- In the Extension Development Host, open a target project and run
Secure Review: Scan Workspace.
This repository includes a deliberately vulnerable sample in sample-workspace, which is useful for smoke testing.
For Maintainers
Common maintenance commands:
npm run verify
npm run package
npm run pack:cli:dry-run
npm run pack:cli
npm run publish:npm
npm run publish:marketplace
Before releasing:
- verify package metadata in
package.json
- confirm the publisher ID is correct
- validate the packaged VSIX locally
- validate the npm tarball locally if you are shipping the CLI
