CodeShield - Vulnerability Scanner for VS Code

CodeShield is a lightweight Visual Studio Code extension that scans your code for potential vulnerabilities. It highlights common security issues, helping you write safer and more secure code. The extension is based on the OWASP Top 10 vulnerabilities and includes fallback checks for common coding pitfalls.

Features

• Vulnerability Scanning: Detects issues such as:
  • Use of eval() (Code Injection)
  • Hardcoded passwords (Information Exposure)
  • Use of document.write() (Cross-Site Scripting)
  • Use of innerHTML (Cross-Site Scripting)
  • Unvalidated HTTP requests (Security Misconfiguration)
• OWASP Top 10 Integration: Automatically fetches the latest OWASP Top 10 vulnerability patterns when available.
• Fallback Checks: Uses a predefined list of common vulnerabilities when fetching OWASP data fails.
• Detailed Reports: Provides a detailed vulnerability report in the Output panel.

Installation

1. Download and install CodeShield from the VS Code Marketplace or sideload it into VS Code.
2. Reload your VS Code editor if prompted.

How to Use

1. Open any code file in your VS Code editor.
2. Open the Command Palette (Ctrl+Shift+P or Cmd+Shift+P on Mac).
3. Run the command: Run CodeShield Scan.
4. The extension will scan your code and:
   • Display the number of vulnerabilities found.
   • Show a detailed report in the Output panel.

Example

Input Code (vulnerableCode.js):

eval("console.log('This is insecure!')"); // Vulnerable: eval()
const password = "12345"; // Vulnerable: Hardcoded password
document.write("<script>alert('XSS');</script>"); // Vulnerable: XSS
const userInput = "<img src='https://github.com/Tanishq-07/CodeShield_VS_Code_Extension/raw/HEAD/x' onerror='alert(1)'>";
document.getElementById('output').innerHTML = userInput; // Vulnerable: innerHTML
const http = require('http');
http.get('http://insecure-api.com/data', (res) => console.log(res)); // Vulnerable: HTTP request

Output Report (in the Output panel):

CodeShield Vulnerability Report
--------------------------------
Line 1: [High] Use of eval() detected, which can lead to code injection.
Line 2: [Medium] Potential hardcoded password detected.
Line 3: [High] Use of document.write() detected, which can lead to XSS attacks.
Line 5: [Medium] Use of innerHTML detected, which can lead to XSS vulnerabilities.
Line 7: [High] HTTP request without proper validation detected.

Known Limitations

1. The OWASP Top 10 data fetch relies on external APIs. If the API is unavailable, the extension falls back to predefined patterns.
2. Scans are based on regex patterns, so false positives may occur.
3. Currently supports JavaScript/Node.js code. Additional language support is planned for future updates.

Troubleshooting

• No vulnerabilities found, but my code is insecure: Ensure your file is saved and contains vulnerable patterns as defined in the fallback list or OWASP Top 10.
• Error: "Unable to fetch OWASP Top 10 vulnerabilities": This occurs when the OWASP API is unavailable. The extension will still run fallback checks.

Feedback & Contributions

We welcome your feedback and contributions! Feel free to:

• Report issues or request features via GitHub Issues.
• Submit pull requests to improve functionality or add new vulnerability patterns.

License

This project is licensed under the MIT License.