This extension provides Software Composition Analysis (SCA) capabilities for VS Code, highlighting vulnerable dependencies in your project files and providing detailed vulnerability information.
Features
Scan your project for vulnerable dependencies using Johnny CLI
Highlight vulnerable dependencies in your code with severity-colored indicators
Display detailed vulnerability information on hover with quick fix options
Interactive vulnerability tree view with multiple grouping and filtering options
Support for a wide range of package formats across numerous ecosystems
One-click Quick Fixes to update vulnerable dependencies
Powerful BOM comparison capabilities
Automatic Johnny CLI updates when new versions are available
Installation
Install the extension from the VSIX file:
File → Preferences → Extensions
Click "..." at the top right corner
Select "Install from VSIX..." and navigate to the downloaded file
Configure CodeScoring SCA:
Set your API URL and API token
Choose your preferred installation type (Local or Docker)
Getting Started
Run a scan:
Click on the CodeScoring icon in the activity bar
Click "Run Scan" button, or
Use the command palette (Ctrl+Shift+P): CodeScoring SCA: Run Johnny CLI Scan
View results:
Vulnerable dependencies will be highlighted in your code
Hover over highlighted dependencies to see vulnerability details
Use the Vulnerabilities panel to browse all detected issues
Apply Quick Fixes by clicking the suggested version in the hover card
Compare with previous scans to see all detailed component changes
Search results by package name, vulnerability ID, location, or change type
Johnny CLI Installation Options
The extension supports two methods for running Johnny CLI:
1. Local Executable (Default)
Auto-download: The extension automatically downloads and manages Johnny CLI
Custom path: Specify a path to your own Johnny CLI executable
2. Docker Container
Run Johnny CLI in an isolated Docker container
Requires Docker to be installed and running on your system
BOM File Management
Loading BOM Files
Auto-load: The extension automatically looks for BOM files in standard locations (.codescoring/bom.json, bom.json, etc.)
Manual load: Use CodeScoring SCA: Load BOM File command to select and load a specific BOM file
From scan: Running a scan automatically generates and loads a BOM file
Comparing BOM Files
The extension provides powerful BOM comparison capabilities:
Compare with loaded BOM: If you have a BOM file loaded, it will be used as the target for comparison
Compare two files: Select both base and target BOM files for comparison
Troubleshooting
Some platforms (like MacOS) may enforce special permission check for running an executable file. Please, make sure you can locate the client you're using and lauch it on the command like (you can use it with --help for testing purposes)
If automatic download or token validation fails, check your internet connection and API URL, check that the local user has permissions to write files, check that the API Token has permissions to access client downloads, and try the Ignore SSL Errors setting from CodeScoring SCA extension settings to see detailed HTTP requests in the logs
For Docker installations, ensure Docker is installed and running, and the user is authenticated in the docker registry configured in the plugin
Check the output in the scan report for detailed error messages if the result you expected are missing, you may need to modify .codescoring/config.yaml
Extension logs can be found in VS Code's Output panel: View → Output, then select CodeScoring from the dropdown or Extension Host if the plugin fails to initialize. If you want the most details in CodeScoring log file, open CodeScoring extension setting and select Log Level to debug
License
This project is licensed under the End User License Agreement for CodeScoring IDE Plugin - see the LICENSE.txt file for details.
