OWASP IDE-VulScanner

OWASP IDE-VulScanner is an open-source security extension for VS Code designed to shift security left by identifying vulnerabilities during the implementation phase. It combines Software Composition Analysis (SCA), Static Analysis (SAST), and AI-powered remediation to help developers build secure software faster.

Key Features

OWASP IDE VulScan (Unified)

Perform a full security audit of your project with a single click. The unified scan executes both SCA and SAST sequentially to provide a 360-degree view of your project's security posture.

Software Composition Analysis (SCA)

Identify known vulnerabilities (CVEs) in your third-party libraries and dependencies.

• Powered by: OWASP Dependency-Check.
• Supports: Java (Maven/Gradle), Node.js (npm/yarn), Python (pip), .NET, PHP (composer), Ruby, and more.

Static Application Security Testing (SAST)

Detect deep security flaws in your source code, such as Cross-Site Scripting (XSS), SQL Injection, and Path Traversal.

• Powered by: Semgrep (Auto-config).
• Benefit: Real-time scanning of your logic without needing to compile.

AI Security Remediation (AI Fix)

Get instant, context-aware fixes for identified vulnerabilities using local AI.

• Local Privacy: Leverages Ollama and deepseek-coder running on your local machine—your code never leaves your environment.
• Interactive Review: A side-by-side diff window allows you to review, accept, or reject AI-suggested security patches.

Scan Results Explorer

A dedicated side pane in the Activity Bar that organizes all findings by category.

• Drill-down: Navigate directly to the vulnerable line of code.
• Status Tracking: Keep an eye on your project's security health as you code.

Video Demo

Getting Started

1. Install the Extension: Search for "OWASP IDEVulScanner" in the VS Code Marketplace.
2. Automated Setup: On first launch, the extension will automatically provision the required tools (Dependency-Check, Semgrep, and Ollama) in ~/.vulco/bin.
3. Run a Scan:
   • Click the Shield Icon in the top-right editor title bar for a Full Scan.
   • Check the Scan Results explorer in the Activity Bar for findings.
4. Apply AI Fixes:
   • Right-click a vulnerable code snippet and select "OWASP IDE VulScanner AI Fix".

Prerequisites

For the best experience, ensure you have:

• Python 3 (for Semgrep auto-installation).
• Homebrew (on macOS for Ollama auto-installation).
• Ollama Desktop (optional but recommended for managing models).

Community & Support

• Project Homepage: destinjidee.com/owasp-ide-vulscanner
• Issues: GitHub Issue Tracker
• License: Apache-2.0