Custodia — Security & Compliance Autopilot for VS Code

Scan your codebase for OWASP Top 10 vulnerabilities, get AI-powered fix prompts, and run compliance checks against SOC 2, HIPAA, and PCI DSS — all from your editor.

Features

• One-click workspace scan — full OWASP Top 10 + dependency CVE analysis
• Compliance scans — targeted SOC 2 / HIPAA / PCI DSS gap analysis
• Inline diagnostics — findings appear as warnings/errors in the Problems panel
• Sidebar findings tree — browse findings grouped by severity (CRITICAL → LOW)
• AI fix prompts — copy the fix prompt to paste into your AI assistant
• Rich HTML report — scores, domain breakdown, roadmap, business report
• Status bar score — always-visible security score badge
• Scan on save — optional automatic scanning on file save

Quick Start

1. Install the extension
2. Run Custodia: Set API Key from the command palette (Ctrl+Shift+P)
3. Enter your API key (get a free one at custodia.dev/dashboard)
4. Run Custodia: Scan Workspace

Commands

Settings

How It Works

The extension collects your workspace files (skipping binaries, node_modules, styles, etc.) and sends them to the Custodia API. The API runs a 5-stage AI security pipeline:

1. Triage — classifies files and detects your stack
2. Domain analysis — 6 security domains (auth, data, secrets, injection, logging, AI)
3. Compliance mapping — OWASP/CWE/NIST/SOC2 references
4. Synthesis — weighted score, verdict, roadmap
5. Business report — executive summary for stakeholders

Results stream back as inline diagnostics, sidebar findings, and a rich HTML report.

Privacy

• Your code is sent to the Custodia API over HTTPS for analysis
• .env files are automatically stripped before any AI processing
• Scan results are cached per-user (same code = free re-scan for 30 days)
• No code is stored permanently — see custodia.dev/privacy