CodeVigil

AI-powered security vulnerability scanning for source code. CodeVigil combines a VS Code extension with an embedded MCP server to scan your code for vulnerability patterns, check dependencies against CVE databases (OSV.dev + NVD), and render results inline in Copilot chat, editor diagnostics, and a rich WebView dashboard.

Features

Code Pattern Scanning — Detects vulnerability patterns across 15 languages (JavaScript, TypeScript, Python, Java, Go, Rust, C/C++, C#, Ruby, PHP, Kotlin, Scala)
Secret Detection — Finds hardcoded API keys, tokens, and credentials
Dependency CVE Checking — Cross-references your dependencies against OSV.dev and NVD databases
Editor Diagnostics — Squiggly lines and hover tooltips for detected vulnerabilities
Copilot Chat Integration — @codevigil chat participant with scan, deps, report, and status commands
Security Dashboard — WebView panel with severity charts, clickable findings, and dependency CVE tables
SARIF Export — Export scan results in SARIF format for CI/CD integration

Usage

Open a supported source file
Type @codevigil scan in the Copilot chat panel, or press Ctrl+Shift+V / Cmd+Shift+V
Review findings inline and in the Security Dashboard

Commands

Command	Description
`@codevigil scan`	Scan active file for vulnerabilities
`@codevigil deps`	Check dependencies for known CVEs
`@codevigil report`	Full security report for workspace
`@codevigil status`	CVE database sync status

License

CodeVigil is dual-licensed:

Scanning engine (src/server/ and src/shared/) — Apache 2.0
VS Code extension (src/extension/) — Proprietary

The scanning engine is fully open-source. You are free to use, modify, and distribute it under the terms of the Apache 2.0 license. Contributions to the scanning engine are welcome and will be licensed under Apache 2.0.

The VS Code extension (including Pro features, licensing, dashboard, and diagnostics) is proprietary software by BitsPlus LLC. You may view the source code for security auditing purposes, but redistribution is not permitted.