Overview Version History Q & A Rating & Review
Fray Security Scanner — VS Code Extension
Run Fray WAF/security scans directly from your editor. Scan, test, recon, and OSINT any URL without leaving VS Code.
Features
Scan URL — Crawl + param discovery + payload injection (fray scan)Test URL — Fire payloads against a specific endpoint (fray test)Recon URL — Reconnaissance: tech stack, headers, DNS, certs (fray recon)OSINT Domain — OSINT: whois, emails, GitHub org, typosquatting (fray osint)Leak Search — Search leaked credentials on GitHub + HIBP (fray leak)Right-click — Select a URL in any file and scan it from the context menuAuto-detect — Extracts URLs from the current line or selectionInline diagnostics — Bypass findings appear as warnings/errors in the editorResults sidebar — Browse findings in the Fray activity bar panelScan history — View past scans with timestamps and finding countsStatus bar — Shows scan progress with a spinning indicatorWebhook alerts — Configure Slack/Discord/Teams notifications in settings
Quick Start
Install the extension
Make sure Fray is installed: pip install fray-security
Open the command palette (Cmd+Shift+P) and type Fray
Select a command and enter a target URL
Or: select a URL in any file, right-click, and choose Fray: Scan Selected URL .
Commands
Command
Description
Keybinding
Fray: Run Command...Quick pick menu for all Fray commands
Cmd+Shift+F
Fray: Scan URLFull automated scan
—
Fray: Test Payloads Against URLPayload injection test
—
Fray: Recon URLReconnaissance scan
—
Fray: OSINT DomainOSINT intelligence gathering
—
Fray: Leak SearchCredential leak search
—
Fray: Scan Selected URLScan URL from text selection
Right-click menu
Fray: Stop Running ScanKill active scan
—
Settings
Setting
Default
Description
fray.pythonPathpythonPath to Python interpreter with Fray installed
fray.defaultCategoryxssDefault payload category (xss, sqli, rce, ssrf, etc.)
fray.maxPayloads5Max payloads per injection point
fray.timeout8HTTP request timeout (seconds)
fray.delay0.5Delay between requests (seconds)
fray.autoThrottlefalseAuto-detect rate limits and adjust speed
fray.stealthfalseRandomize User-Agent, add jitter
fray.browserModefalseUse Playwright for JS-heavy SPAs
fray.notifyWebhook""Slack/Discord/Teams webhook URL
fray.showInlineFindingstrueShow findings as editor diagnostics
The Fray Security activity bar icon opens two panels:
Scan Results — Current scan findings grouped by bypasses and blocked payloads. Each finding shows bypass confidence, false positive score, and detailed tooltip.History — Recent scans with timestamps and result counts.
Inline Diagnostics
When a scan completes, bypass findings appear as inline diagnostics:
Error (red) — High-confidence bypass (confidence >= 70%)Warning (yellow) — Medium-confidence bypassInfo (blue) — Likely false positive (FP score > 50%)
Requirements
Fray installed (pip install fray-security)Python 3.8+
Optional: Playwright for --browser mode
Development
cd vscode-fray
npm install
npm run compile
# Press F5 in VS Code to launch Extension Development Host
To package for marketplace:
npm run package
# produces fray-security-0.1.0.vsix
License
MIT — DALI Security
