A VS Code extension that scans changed files in a repository using GitHub Copilot knowledge, reports security findings, and helps create/update GitLab Merge Requests with the findings.
Features
Automatic scan on commits (auto-scan can be enabled/disabled)
Diff-aware scanning (only reports on changed lines; hallucination guard)
Create or update GitLab MRs with scan results
Fix vulnerabilities using GitHub Copilot chat integration
Auto-publish branch and auto-push unpushed commits before MR creation
CRLF line-ending detection and optional normalization before scanning
Quick Links
Commands (Command Palette):
GitLab Security: Scan Changes and Create MR
GitLab Security: Fix Issues using Copilot
GitLab Security: Set Personal Access Token
GitLab Security: Enable Auto-Scan on All Commits
GitLab Security: Disable Auto-Scan
GitLab Security: Change Copilot Scan Model
Requirements
VS Code (see engines.vscode in package.json)
Git installed and configured
A GitLab instance reachable from your machine and a Personal Access Token with api scope
GitHub Copilot & Copilot Chat available for the fix workflow (optional for scanning)
Installation (developer / local)
Clone the repository: git clone <repo>
Install dev dependencies:
npm install
Build and package (optional):
npm run lint
vsce package
Packaging Troubleshooting
Error: @types/vscode ^1.109.0 greater than engines.vscode >=1.90.0 when running vsce package means the installed @types/vscode requires a newer VS Code engine than declared.
Quick fixes:
Downgrade @types/vscode to match engines.vscode (example used in this repo): set @types/vscode to ^1.90.0 in package.json and run npm install.
OR bump engines.vscode to a newer minimal VS Code version (if you want to require newer hosts): update package.jsonengines.vscode accordingly.
Configuration (settings)
Open VS Code settings and search for gitlabSecurityMr to configure:
gitlabSecurityMr.baseUrl — GitLab base URL (default: https://gitlab.com)
gitlabSecurityMr.autoScanEnabled — Enable auto-scan on commits
gitlabSecurityMr.severityLevels — Which severities to include in MR
gitlabSecurityMr.createMROnFindings — Create MR automatically when findings exist
Usage
Set your GitLab Personal Access Token (Command: GitLab Security: Set Personal Access Token).
Make some changes and commit.
The extension will auto-scan (if enabled) or you can run GitLab Security: Scan Changes and Create MR.
If the branch is not published, the extension will prompt to publish. If the branch is published but commits are unpushed, the extension will auto-sync unpushed commits before creating the MR.
If vulnerabilities are found you can open the MR or use Fix Issues using Copilot to open the Copilot Chat panel with a compact prompt for fixes.
CRLF Line Ending Handling
Before scanning, the extension checks changed files for CRLF line endings (which can cause noisy diffs or CI issues).
If CRLF is detected the extension offers:
Normalize to LF (auto-convert uncommitted files and prompt you to stage/commit),
Continue anyway, or
Cancel the scan.
Security & Safety
The extension will never modify committed files automatically; CRLF normalization applies only to uncommitted files. Publishing/pushing branches requires Git credentials to be valid.
Troubleshooting
If MR creation fails, check the output channel GitLab Security Scanner for detailed logs and any GitLab API responses.
If vsce package fails with a @types/vscode vs engines.vscode mismatch, see Packaging Troubleshooting above.
Development Notes
Scanning uses the Copilot Chat model selection logic; the extension tries to detect the model you use in Copilot Chat and will prompt you to choose if detection fails.
To change which Copilot model is used for scan requests: run GitLab Security: Change Copilot Scan Model.
Contributing
Open issues or PRs for bugs, feature requests, or improvements.
License
MIT — see the LICENSE file in this repository for the full text.
