CI/CD Security Agent 🛡️
AI-powered security scanner for CI/CD pipelines — right inside VS Code.
Automatically detect secrets, CVEs, misconfigurations, and container vulnerabilities in your GitHub Actions, Dockerfiles, Terraform, and more — powered by Claude AI.
Features
- 🔑 Secret Scanning — Detect hardcoded API keys, passwords, tokens, and credentials
- 📦 Dependency Audit — Find known CVEs in your package dependencies
- 🔍 SAST Analysis — Identify insecure code patterns and injection risks
- 🐳 Container Security — Audit Dockerfiles for best practice violations
- ☁️ IaC Security — Catch Terraform and Kubernetes misconfigurations
- 🛡️ Permissions Audit — Enforce least-privilege and flag overly permissive roles
- 💬 AI Chat — Ask follow-up questions about findings and get remediation guidance
- 🔴 Inline Diagnostics — See issues highlighted directly in your editor
Supported File Types
| File |
Detection |
.github/workflows/*.yml |
GitHub Actions |
.gitlab-ci.yml |
GitLab CI |
Dockerfile |
Docker |
*.tf |
Terraform |
*.yml / *.yaml |
Generic pipeline YAML |
Jenkinsfile |
Jenkins |
.circleci/config.yml |
CircleCI |
Getting Started
1. Install the Extension
Search for "CI/CD Security Agent" in the VS Code Extensions Marketplace.
2. Set Your Anthropic API Key
Open the Command Palette (Cmd/Ctrl+Shift+P) and run:
CI/CD Security: Set Anthropic API Key
Get your API key at console.anthropic.com.
3. Scan a File
- Open any
.yml, .yaml, Dockerfile, or .tf file
- Click the 🛡️ shield icon in the editor title bar
- Or right-click → CI/CD Security: Scan Current File
- Or use the Command Palette:
CI/CD Security: Scan Current File
4. View Results
Results appear in:
- The CI/CD Security panel (Activity Bar sidebar)
- Inline diagnostics (red/yellow underlines in your editor)
- The dashboard panel with full findings and AI chat
Commands
| Command |
Description |
CI/CD Security: Scan Current File |
Scan the active editor file |
CI/CD Security: Scan Entire Workspace |
Scan all pipeline files in workspace |
CI/CD Security: Open Dashboard |
Open the full security dashboard |
CI/CD Security: Set Anthropic API Key |
Configure your API key |
Settings
| Setting |
Default |
Description |
cicdSecurity.anthropicApiKey |
"" |
Your Anthropic API key |
cicdSecurity.autoScanOnSave |
false |
Auto-scan pipeline files on save |
cicdSecurity.severityThreshold |
medium |
Minimum severity for inline diagnostics |
cicdSecurity.showInlineDiagnostics |
true |
Show issues in editor gutter |
Example Findings
🔴 CRITICAL Hardcoded AWS Access Key
AWS_KEY: AKIAIOSFODNN7EXAMPLE found in env block
Fix: Use GitHub Secrets or AWS OIDC federation
🟡 HIGH Privileged Container
--privileged flag grants full host access
Fix: Drop all capabilities, add only required ones
🟡 MEDIUM Public S3 Bucket
acl = "public-read" exposes bucket to internet
Fix: Remove ACL, use bucket policies with specific principals
How It Works
Each scan runs 6 parallel AI checks using Claude claude-sonnet-4-20250514:
- Files are read and classified by type
- Each check sends targeted prompts to the Anthropic API
- Findings are parsed, deduplicated, and ranked by severity
- Results appear as inline diagnostics + sidebar tree + dashboard
Your code is sent to the Anthropic API for analysis. Review Anthropic's privacy policy before scanning sensitive configs.
Publishing to Marketplace
# Install dependencies
npm install
# Compile TypeScript
npm run compile
# Package extension
npx vsce package
# Publish (requires PAT from marketplace.visualstudio.com)
npx vsce publish
Prerequisites
- Create a publisher at marketplace.visualstudio.com
- Update
"publisher" in package.json to your publisher ID
- Create a Personal Access Token with Marketplace > Manage scope
- Add a 128x128px
resources/icon.png
- Run
vsce publish
License
MIT
