BoostSecurity for VS Code
Secure the developer endpoint in the age of AI coding agents. BoostSecurity governs the coding agents, MCP servers, and IDE extensions running on your workstation — and inspects the packages, secrets, and context they touch — so risk is caught at the point of creation, not in CI.
Works with VS Code, Cursor, and Windsurf.
Key features
- Endpoint inventory — continuously collects your installed IDE extensions and configured MCP servers and reports them to your BoostSecurity tenant for governance and visibility.
- MCP safe-packages guardrails — protects agentic coding workflows by steering AI agents to only install vetted, trusted packages.
- Dependency & manifest detection — identifies project manifests across your workspace and validates the packages they pull in.
- Package validation — checks package integrity and security posture before a dependency lands in your code.
- Secrets scanning — detects unencrypted credentials, API keys, tokens, and other insecure local configuration patterns.
- Dedicated sidebar — a Boost Security activity-bar view with live scan Results and Authentication panels.
Requirements
VS Code 1.85.0 or newer (Cursor and Windsurf on a compatible VS Code engine are also supported).
A BoostSecurity account — sign up at boostsecurity.io or request access from your organization administrator.
Supported platforms (platform-specific .vsix builds are published per target):
| OS |
Architectures |
| macOS |
x64, arm64 |
| Linux |
x64, arm64 |
| Windows |
x64 |
Get started in 3 steps
Install the extension. Click Install, or search for BoostSecurity in the Extensions view (Ctrl+Shift+X / Cmd+Shift+X) of VS Code, Cursor, or Windsurf.
Sign in. Open the Boost Security view in the activity bar and use the Authentication panel to sign in with SSO, or run Boost Security: Login with API Key from the Command Palette.
Open the Results panel. Scans run automatically; trigger a fresh one any time with the play icon or Boost Security: Trigger Scan.
Authentication
Two sign-in methods are supported:
- SSO — click Sign in with SSO in the Authentication sidebar view, or run
Boost Security: SSO Login. An Auth0-backed browser flow completes the handshake.
- API key — generate a key in your BoostSecurity account and run
Boost Security: Set API Key (or Boost Security: Login with API Key). Keys are stored using VS Code's encrypted SecretStorage.
To sign out: Boost Security: Sign Out (clears both SSO session and stored API key).
What Boost scans
- Installed IDE extensions — name, publisher, and version of every extension active in your editor.
- MCP server configurations — the MCP servers your editor and agents are wired up to.
- Project manifests —
package.json, requirements.txt, go.mod, and friends — to enumerate declared dependencies.
- Package posture — each dependency is checked against BoostSecurity's package-integrity rules.
- Secrets & credentials — local files are scanned for API keys, tokens, and unencrypted credentials.
Results land in the Results sidebar panel and sync to your BoostSecurity tenant on the reporting interval.
MCP safe-packages guardrails
The extension can configure your editor's MCP client so that AI coding agents can only install packages Boost has vetted.
- On first activation (unless disabled) you'll be prompted to enable safe-packages MCP. Accept to wire it up automatically.
- Run
Boost Security: Configure MCP Safe Packages at any time to (re)apply the configuration.
- Run
Boost Security: Remove MCP Configuration to disable it.
- Disable the first-run prompt entirely by setting
boostsec.mcpAutoPrompt to false.
Commands
All commands are available from the Command Palette (Ctrl+Shift+P / Cmd+Shift+P) under the Boost Security category.
| Command |
Description |
Boost Security: SSO Login |
Sign in via BoostSecurity SSO. |
Boost Security: Login with API Key |
Sign in using an API key. |
Boost Security: Set API Key |
Store or replace the API key (encrypted). |
Boost Security: Clear API Key |
Remove the stored API key. |
Boost Security: Sign Out |
Clear the active session. |
Boost Security: Trigger Scan |
Run a scan on demand. |
Boost Security: View Scan Results |
Open the Results panel. |
Boost Security: Sync Inventory |
Force an inventory report to BoostSecurity. |
Boost Security: View Inventory |
Inspect the inventory last sent. |
Boost Security: Configure MCP Safe Packages |
Apply the safe-packages MCP configuration. |
Boost Security: Remove MCP Configuration |
Remove the safe-packages MCP configuration. |
Extension settings
Available under Settings → Extensions → BoostSecurity (or by editing settings.json).
| Setting |
Type |
Default |
Description |
boostsec.apiEndpoint |
string |
https://api.boostsecurity.io |
BoostSecurity API endpoint. Override only for self-hosted or staging tenants. |
boostsec.reportingInterval |
number |
86400 |
How often (in seconds) the extension re-reports inventory. Default: 24 hours. |
boostsec.mcpAutoPrompt |
boolean |
true |
Whether to prompt on activation to configure Boost MCP safe packages. |
boostsec.authToken |
string |
"" |
Deprecated. Any value here is migrated to secure storage automatically. Use Boost Security: Set API Key instead. |
Privacy & data collection
BoostSecurity is a security product — transparency about what leaves your machine matters. The extension sends the following to the API endpoint configured in boostsec.apiEndpoint:
- Inventory data: list of installed IDE extensions (name, publisher, version) and configured MCP servers.
- Scan findings: results from dependency, package-validation, and secret scans performed locally.
- Endpoint identity: developer and machine identifiers returned by the bundled Boost endpoint CLI, used to associate findings with your account.
What it does not send: source code, file contents outside of scan findings, or arbitrary telemetry.
Credential handling: API keys are stored exclusively in VS Code's encrypted SecretStorage. The deprecated boostsec.authToken setting is migrated automatically on first activation and then cleared from user settings.
Opting out: sign out (Boost Security: Sign Out) or uninstall the extension to stop all reporting.
Troubleshooting
- Sidebar does not appear — check that the extension is active (Command Palette →
Developer: Show Running Extensions) and reload the window (Developer: Reload Window).
- Authentication fails — confirm
boostsec.apiEndpoint matches your tenant, then retry SSO; if SSO is blocked by your network, fall back to an API key via Boost Security: Set API Key.
- Missing platform binary — the extension ships platform-specific
.vsix builds. If you see binary-missing errors, install the .vsix matching your OS/architecture.
- Self-hosted / staging tenant — point
boostsec.apiEndpoint at your tenant URL before signing in.
Support
Questions, bug reports, or feature requests? Email the BoostSecurity team at support@boostsecurity.io.
License
Use of this extension is governed by the BoostSecurity End User License Agreement — see LICENSE.md. Copyright © 2026 BoostSecurity.io Inc. All rights reserved.
