UBEL — Supply-Chain security scanner and firewallMulti-ecosystem dependency security scanner and supply-chain firewall. Scans Node.js, Python, PHP, Rust, Go, C#/.NET, Java/Kotlin, and Ruby projects — plus your VS Code extensions and the development environment — for vulnerabilities and malicious packages. Runs entirely locally, no cloud calls exce Installation Launch VS Code Quick Open ( Ctrl+P), paste the following command, and press enter.Copied to clipboard |
UBEL — Supply-Chain FirewallMulti-ecosystem security scanner for the developer's machine and tools.
What is UBEL?UBEL is a software composition analysis (SCA) tool and install-blocking firewall built for teams who care about what enters their supply chain at every layer. Unlike report-only scanners, UBEL enforces policy — if a scan fails, it blocks the operation and tells you exactly why. It spans the entire delivery chain: from the moment a developer adds a dependency, through CI validation, to what is running on a deployment server or inside an AI agent's runtime environment. Extension's features
Commands
All three commands are also accessible via the Command Palette ( InstallationFrom the Marketplace Search for UBEL in the VS Code Extensions panel, or install directly: From VSIX
Scan Project (
|
| Ecosystem | Resolved From |
|---|---|
| Node.js (npm, pnpm, yarn, bun) | node_modules/ on-disk walk |
| Python | .venv/, venv/, virtual environment directories |
| PHP | vendor/ |
| Rust | Cargo.lock |
| Go | go.sum |
| C#/.NET | packages.lock.json, obj/project.assets.json |
| Java | pom.xml resolved dependencies |
| Ruby | Gemfile.lock |
Report location
<project-root>/.ubel/reports/latest.*
Scan VS Code Extensions (Ctrl+Alt+X)
Scans the npm packages bundled inside your installed VS Code / Cursor / VS Codium extensions (~/.vscode/extensions or ~/.vscode-oss/extensions or ~/.cursor/extensions ). Extensions are a meaningful supply-chain surface — they run with full Node.js access in the editor host process and are updated silently.
Report location
~/.vscode/extensions/.ubel/reports/latest.*
or
~/.vscode-oss/extensions/.ubel/reports/latest.*
or
~/.cursor/extensions/.ubel/reports/latest.*
Scan Host Platform (Ctrl+Alt+P)
Audits the system-level software installed on the developer's machine itself — a distinct attack surface from project dependencies. Vulnerabilities are matched using CPE 2.3 identifiers against the CVE/NVD database.
This catches what dependency scanners miss: a vulnerable version of Git, an unpatched Python interpreter, an outdated Docker Desktop install, or an end-of-life .NET runtime.
Windows — detected via registry probes and PowerShell, no elevated privileges required:
| Category | Components |
|---|---|
| Operating system | Windows 10 / 11 (build-accurate CPE version) |
| Security | Windows Defender |
| Runtimes | Node.js, Python, PHP, Go, Rust, Ruby, JRE, JDK |
| .NET | All installed .NET Core / Desktop / ASP.NET runtimes (multi-version) |
| Browsers | Chrome, Firefox, Microsoft Edge |
| Developer tools | Git, Docker Desktop, VS Code, Cursor |
| Shell | PowerShell |
Linux — reads the system package database directly, works as a standard user on most distributions:
| Distro family | Source |
|---|---|
| Debian / Ubuntu | /var/lib/dpkg/status |
| Alpine | /lib/apk/db/installed |
| Red Hat / AlmaLinux / Rocky | rpm -qa |
On RPM-based systems,
rpm -qamay return partial results depending on SELinux policy if run without elevated privileges.
Report location
The report is always written to ~/.ubel/reports/latest.*, independent of any open workspace.
~/.ubel/reports/latest.*
Scan Results
Every scan ends with a VS Code notification:
| Result | Notification | Meaning |
|---|---|---|
| ✅ | Scan complete — no policy violations | All packages passed |
| ⚠️ | Policy violation | Vulnerable or malicious package found above threshold |
| ❌ | Scan error | Unexpected failure — message contains details |
Every notification includes an Open Report button that opens the full interactive HTML report in your browser.
The HTML Report
Each scan produces a self-contained HTML file that works fully offline. It contains six tabs:
| Tab | Contents |
|---|---|
| Dashboard | Vulnerability counts by severity, policy decision summary, scan metadata |
| Vulnerabilities | Full list of matched CVEs with CVSS score, EPSS, severity, fix version, and policy decision |
| Inventory | Every scanned package with version, PURL, CPE, ecosystem, and vulnerability count |
| Graph | Interactive force-directed dependency graph — colour-coded by vulnerability status, with search, filter, drag, and pin |
| Stats | Severity distribution charts, top vulnerable packages, ecosystem breakdown |
| System | OS metadata, Node.js version, scan engine info |
Policy
All package managers share the same policy engine. Policy is stored per-project in .ubel/local/policy/config.json.
| Field | Values | Default | Behaviour |
|---|---|---|---|
severity_threshold |
low medium high critical none |
high |
Block packages at or above this severity |
block_unknown_vulnerabilities |
true false |
true |
Block packages with CVEs but no CVSS score |
Infections (MAL-*) |
— | always blocked | Cannot be toggled; unconditionally blocked |
The threshold is inclusive — high blocks both high and critical. Setting none disables severity blocking but infections are still blocked.
Coverage at a Glance
| Surface |
|---|
| Source repos & monorepos |
| Developer machines (Windows / Linux) |
| VS Code extension |
Repos and Monorepos
UBEL walks the entire directory tree and detects all supported ecosystems in a single pass — no per-language configuration needed. Monorepos with mixed stacks (e.g. a Node.js frontend, Python backend, and Rust service in the same repo) are fully covered in one invocation.
Developer Machines
The VS Code extension (Ctrl+Alt+P) and the ubel-platform CLI binary scan the host machine: OS, installed runtimes, browsers, developer tools, and security software. Vulnerabilities are matched using CPE 2.3 identifiers against the CVE/NVD database.
This surface catches what dependency scanners miss — a vulnerable version of Git, an unpatched Python interpreter, or an outdated Docker Desktop install.
Windows
Detected via registry probes and PowerShell — no elevated privileges required.
| Category | Components |
|---|---|
| Operating system | Windows 10 / 11 (build-accurate CPE version) |
| Security | Windows Defender |
| Runtimes | Node.js, Python, PHP, Go, Rust, Ruby, JRE, JDK |
| .NET | All installed .NET Core / Desktop / ASP.NET runtimes (multi-version) |
| Browsers | Chrome, Firefox, Microsoft Edge |
| Developer tools | Git, Docker Desktop, VS Code, Cursor |
| Shell | PowerShell |
Linux
Detected by reading the system package database directly.
| Distro family | Package manager | Source |
|---|---|---|
| Debian / Ubuntu | dpkg | /var/lib/dpkg/status |
| Alpine | apk | /lib/apk/db/installed |
| Red Hat / AlmaLinux / Rocky | rpm | rpm -qa |
On RPM-based systems,
rpm -qamay return partial results depending on SELinux policy if run without elevated privileges.
Supported Ecosystems (Project Scan)
| Ecosystem | Package Manager | Resolved From |
|---|---|---|
| Node.js | npm, pnpm, yarn, bun | node_modules/ (on-disk walk) |
| Python | pip / virtualenv | .venv, venv, virtual environment directories |
| PHP | Composer | vendor/ |
| Rust | Cargo | Cargo.lock |
| Go | Go Modules | go.sum |
| C#/.NET | NuGet | packages.lock.json / obj/project.assets.json |
| Java/Kotlin | Maven | pom.xml resolved dependencies |
| Ruby | Bundler | Gemfile.lock |
Reports
Every scan writes a self-contained interactive HTML + JSON + SBOM + SARIF reports.
| Scan target | Report path |
|---|---|
| Workspace | <project-root>/.ubel/reports/latest* |
| VS Code / VS Codium / Cursor extensions | ~/.vscode/extensions/.ubel/reports/latest* or ~/.vscode-oss/extensions/.ubel/reports/latest* or ~/.cursor/extensions/.ubel/reports/latest* |
| Host platform | ~/.ubel/reports/latest* |
Previous scans are retained under:
<project-root>/.ubel/local/reports/npm/health/<year>/<month>/<day>/~/.vscode/extensions/.ubel/local/reports/npm/health/<year>/<month>/<day>/~/.vscode-oss/extensions/.ubel/local/reports/npm/health/<year>/<month>/<day>/~/.cursor/extensions/.ubel/local/reports/npm/health/<year>/<month>/<day>/~/.ubel/local/reports/npm/health/<year>/<month>/<day>/
Requirements
- Node.js
>=18.0.0 - Python
>=3.9(forubel-pip,ubel-apt,ubel-dnf) - VS Code
^1.85.0(extension only)
Privacy
UBEL is fully local. The only external call is to osv.dev's public API and [NVD's API] (https://nvd.nist.gov/) , which receives package PURLs (package name + version) to check for known vulnerabilities. No file contents, no dependency graphs, no machine identifiers, and no telemetry are sent anywhere.
License
AGPL-3.0-only — free for scanning your own projects and systems.
See LICENSE.md for details or contact ala.bouali.1997@gmail.com for commercial licensing.