XYZ Vulnerability Scanner for VSCode

Real-time npm package vulnerability scanning powered by XYZ Security.

Features

• 🔍 Real-time Scanning: Automatically scans package.json files as you edit
• 🚨 Inline Warnings: Shows vulnerabilities directly in your code with squiggly lines
• 📊 Severity Levels: Color-coded warnings (Critical, High, Medium, Low)
• 💡 Hover Details: Hover over packages to see detailed vulnerability information
• ⚡ Fast: Cached results for instant feedback
• 🔒 Exploit Detection: Highlights packages with known exploits

Installation

Prerequisites

1. XYZ Security API Key: Get your free API key at app.cyberxyz.io

Install Extension

1. Open VSCode
2. Go to Extensions (Cmd+Shift+X / Ctrl+Shift+X)
3. Search for "XYZ Vulnerability Scanner"
4. Click Install

Quick Start

1. Configure API Key:

   • Press Cmd+Shift+P and run XYZ: Configure API Key
   • Enter your API key

2. Open a Project:

   • Open any Node.js project with a package.json file
   • The extension will automatically scan for vulnerabilities

3. View Results:

   • Vulnerabilities appear as colored underlines in package.json
   • Hover over a package to see detailed information
   • Check the status bar for a summary

Commands

• XYZ: Scan for Vulnerabilities - Manually trigger a scan
• XYZ: Configure API Key - Set or update your API key
• XYZ: Clear Cache - Clear cached scan results

Configuration

Open VSCode Settings (Cmd+,) and search for "XYZ Scanner":

• API Key: Your XYZ Security API key
• API URL: Backend API endpoint (default: https://api.cyberxyz.io)
• Enable Auto Scan: Automatically scan on file changes (default: true)
• Scan on Save: Scan when package.json is saved (default: true)
• Show Exploit Info: Display exploit availability (default: true)
• Min Severity: Minimum severity to display (default: low)

Usage

Viewing Vulnerabilities

When you open a package.json file, the extension automatically scans all dependencies:

{
  "dependencies": {
    "lodash": "4.17.20",  // ⚠️ 10 vulnerabilities (5 low)
    "axios": "0.21.1",    // 🔴 5 vulnerabilities (2 critical)
    "express": "4.17.1"   // 🟡 3 vulnerabilities (3 medium)
  }
}

Hover for Details

Hover over any package name to see:

• Number of vulnerabilities
• Severity breakdown
• CVE/GHSA IDs
• Descriptions
• Fixed versions
• Exploit availability
• Reference links

Status Bar

The status bar shows:

• 🛡️ Shield: Scanner is ready
• 🔄 Spinning: Scanning in progress
• ⚠️ Alert: Vulnerabilities found
• ✅ Check: No vulnerabilities

Severity Levels

Performance

• First Scan: ~6 seconds (queries database)
• Cached Scans: ~0.6 seconds (instant feedback)
• Cache Duration: 1 hour

Troubleshooting

"API key not configured"

• Run XYZ: Configure API Key command
• Or set it in VSCode settings

"Cannot connect to XYZ API"

• Check that the API URL in settings is https://api.cyberxyz.io
• Verify your internet connection

"Rate limit exceeded"

• Upgrade your plan at xyz-security.com
• Or wait for the rate limit to reset (1 hour)

No vulnerabilities showing

• Check the "Min Severity" setting
• Make sure package.json is valid JSON
• Try running XYZ: Scan for Vulnerabilities manually

Development

Build from Source

cd vscode-vulnerability-scanner
npm install
npm run compile

Run Extension

1. Open the project in VSCode
2. Press F5 to launch Extension Development Host
3. Open a project with package.json
4. Test the extension

Package Extension

npm install -g vsce
vsce package

License

Commercial License - CyberXYZ Security

Privacy

The extension only reads package.json files in your open workspace and sends the dependency names and versions to api.cyberxyz.io for vulnerability lookups. It does not read or transmit:

• Your source code
• .env files, secrets, or environment variables
• node_modules/ contents or lockfiles
• Any file other than package.json

Your API key is stored in VS Code's encrypted globalState (OS keychain on macOS/Windows). It never ships in the extension package. To opt out of all network calls, leave the API key blank or uninstall the extension.

For questions: support@cyberxyz.io (subject: Privacy — VS Code extension).

Support

• Email: support@cyberxyz.io
• Dashboard: https://app.cyberxyz.io

Changelog

0.1.0 (2026-01-22)

• Initial release
• Real-time vulnerability scanning
• Inline diagnostics
• Hover tooltips
• Exploit detection
• Configurable severity filtering