SecureCoder
SecureCoder is an AI-powered security agent that helps you identify and
remediate vulnerabilities in your code. It runs static analysis in the
background to detect issues and leverages AI to help you fix them.
Getting Started
Enabling SecureCoder
SecureCoder can be toggled via the Command Palette: 1. Open the Command Palette
(Ctrl+Shift+P or Cmd+Shift+P). 2. Type SecureCoder: Enable.
When enabled, SecureCoder will start scanning files and populate the dashboard.
Features & Usage
1. Security Dashboard
Once enabled, a SecureCoder icon (shield) will appear in the Activity Bar.
Clicking it opens the dashboard, which displays identified issues grouped by
Severity → Type → File.
2. Scanning Code
- Automatic Scans: SecureCoder automatically scans your files on
activation, file save, editor change, and after file edits (debounced).
- Active File Rescan: Use the refresh icon in the Dashboard title bar to
rescan the current file.
- Directory Scan: Right-click a folder in the Explorer sidebar and select
SecureCoder: Scan Directory.
3. Editor Indicators
Vulnerabilities are surfaced directly in the editor: - Diagnostics: Red
squiggles in the code and entries in the VS Code Problems panel. - Hover
Tooltips: Hover over highlighted code to see severity and description. -
CodeLens Actions: Inline links appear above vulnerable lines: ⚠ [Description], Fix with SecureCoder, and Ignore.
From the Dashboard or editor CodeLens: - Fix with Agent: Click "Fix with
SecureCoder" to send the vulnerability to the AI agent for automatic
remediation. - Ask Agent: Use the "Ask Agent" command to interact with the
agent about a specific finding.
5. Ignoring Vulnerabilities
If a finding is a false positive or not a priority, you can ignore it from
either the dashboard or the CodeLens: - Ignore Reasons: You will be prompted
to select a reason: - False Positive - Accepted Risk - Not a Priority - Other
(requires typing a custom reason) - Smart Tracking: The extension tracks
ignored findings based on the line text, so they survive refactoring that moves
the line around. If the line text itself changes (implying a fix or
modification), the ignore resets.
6. Managing Ignored Findings
- View Ignored: Click the button at the bottom of the dashboard panel to
toggle between Active Issues and Ignored Issues.
- Un-Ignore: Click the eye icon next to an ignored finding to return it to
the active list.
- Clear All: Use the "Clear all" button in the Ignored view to reset all
suppressions.
Configuration
You can customize SecureCoder behavior in your settings: -
securecoder.ignoreMode: Choose between workspace (default, transient state)
or comment (adds a suppress comment to the source file).
How it Works (Under the Hood)
SecureCoder spawns a local HTTP server on a dynamic port when activated. The AI
agent communicates with this server to trigger scans, report completion, and
manage ignored findings. You may see the agent running curl commands against
http://127.0.0.1:<PORT> in the terminal; these are expected and are how the
agent interacts with the VS Code extension.
Commands
All commands are accessible via the Command Palette
(Ctrl+Shift+P / Cmd+Shift+P).
General
| Command |
Description |
SecureCoder: Enable |
Enable the extension and start scanning. |
SecureCoder: Disable |
Disable the extension and stop scanning. |
SecureCoder: Show Onboarding |
Re-open the onboarding walkthrough. |
Scanning
| Command |
Description |
SecureCoder: Re-scan Last Scan Target |
Re-run the most recent scan. |
SecureCoder: Scan Directory |
Scan a selected directory for vulnerabilities. |
SecureCoder: Scan File |
Scan a specific file. |
SecureCoder: Scan Specific Files/Folders... |
Choose specific files or folders to scan. |
Configuration
| Command |
Description |
SecureCoder: Change Scanner |
Switch between available scanner backends (Semgrep / Wiz). |
SecureCoder: Select Scanner Mode |
Toggle between Quick (fast, intra-file) and Deep (comprehensive, inter-file) scan modes. |
SecureCoder: Edit SecureCoder Ignore File |
Open the ignore file to manage patterns for files and paths excluded from scanning. |
Ignored Vulnerabilities
| Command |
Description |
SecureCoder: Show Ignored Vulnerabilities |
View all currently suppressed findings. |
SecureCoder: Clear All Ignored Vulnerabilities |
Remove all suppressed findings and re-surface them. |
Wiz Authentication
| Command |
Description |
SecureCoder: Wiz Authentication |
Open the Wiz authentication menu. |
SecureCoder: Re-authenticate Wiz |
Force a fresh Wiz login. |
SecureCoder: Logout from Wiz |
Log out of the Wiz scanner backend. |
