DepsDiver Assist
A code extension that scans your project dependencies for Foreign Ownership, Control, or Influence (FOCI) using the Hunted Labs DepsDiver API. For more information on DepsDiver and how to get an API token to use this extension, please visit https://huntedlabs.com/depsdiver/.
Features
- Real-time FOCI scanning - Automatically scans dependencies as you type
- Multi-language support - Supports Go, Python, JavaScript/TypeScript, and Maven (pom.xml)
- OpenSSF Scorecard - View security scorecard for flagged repositories
- Sidebar panel - FOCI Concerns panel to view all flagged packages across your workspace
Supported Languages & Files
| Language/Ecosystem |
Supported Files |
Package Format |
| Go |
.go files |
Go module paths (e.g., github.com/user/repo) |
| Python |
.py files |
PyPI package names (e.g., requests, numpy) |
| JavaScript/TypeScript |
.js, .jsx, .ts, .tsx files |
npm package names (e.g., express, react) |
| Maven (Java) |
pom.xml files |
Maven coordinates (e.g., org.springframework.boot:spring-boot-starter-web) |
Note: For Java/Maven projects, the extension scans pom.xml files to get accurate Maven coordinates. Individual .java files are not scanned as Java import statements don't directly map to Maven package names.
Supported Editors
Configuration
Required
| Setting |
Description |
hlDiver.apiToken |
Your Hunted Labs DepsDiver API token |
Optional
| Setting |
Default |
Description |
hlDiver.apiUrl |
https://depsdiver.com/api |
The Hunted Labs Threat Intelligence API URL |
hlDiver.enableRealTimeScanning |
true |
Enable real-time scanning of dependencies as you type |
hlDiver.scanOnSave |
true |
Scan dependencies when a file is saved |
hlDiver.showInfoForCleanPackages |
false |
Show informational messages for packages without FOCI concerns |
hlDiver.highlightSeverity |
warning |
Severity level for FOCI warnings (error, warning, information, hint) |
hlDiver.cacheTimeoutMinutes |
60 |
How long to cache API results (in minutes) |
hlDiver.debounceDelayMs |
1000 |
Delay before scanning after typing (in milliseconds) |
hlDiver.fociThresholdPercentage |
50 |
FOCI percentage threshold (0-100). Below this is 'Low' risk, above is 'High' risk. After adjusting the settings you should run the Diver: Clear All Diagnostics command so the scanner does not incorrectly return results |
Commands
Available from Command Palette (Cmd+Shift+P)
| Command |
Description |
Diver: Scan Current File |
Scan the active file for FOCI concerns |
Diver: Scan Workspace |
Scan all supported files in workspace |
Diver: Clear All Diagnostics |
Clear all warnings and cache |
When you hover over a dependency with FOCI concerns, you'll see these interactive links:
- View Full Report - Opens the DepsDiver web UI with detailed analysis
- Show all X contributors - Opens a webview showing all contributors with FOCI concerns and their commit stats
- Show OpenSSF Scorecard - View the OpenSSF security scorecard for the package
- Suggest Alternatives - Opens your AI chat with a prompt to find safer alternative packages
Contributor Details
The "Show All Contributors" view displays FOCI-flagged contributors with:
- Commit count - Number of commits to the repository
- Lines of Code (LoC) - Total lines added + deleted
- FOCI details - Countries, emails, locations, and geocoded data
- Sort options - Sort by commits (default), LoC, or name
FOCI Concerns
Lists all packages with FOCI concerns across your workspace.
Quick Fix Actions
Click the lightbulb or press Cmd+. on a flagged import to see these options:
- Suggest alternative packages - Opens your AI chat with a pre-filled prompt asking for safer alternatives to the flagged package
- Suppress warning with
// foci:ignore - Adds a comment to ignore this specific import from future FOCI scans
- Replace with alternative - Opens your AI chat with a prompt to help migrate to a specific alternative package
- Remove import - Deletes the import line from your code
Suppressing Warnings
You can suppress FOCI warnings by adding a comment above or on the same line as the import/dependency:
Go:
import (
// foci:ignore - Reviewed and accepted
"github.com/some/package"
)
Python:
# foci:ignore - Reviewed and accepted
import requests
JavaScript/TypeScript:
// foci:ignore - Reviewed and accepted
import express from 'express';
Maven (pom.xml):
<dependency>
<!-- foci:ignore - Reviewed and accepted -->
<groupId>com.example</groupId>
<artifactId>some-package</artifactId>
</dependency>
License
This extension is governed by the Hunted Labs DepsDiver Platform Terms and Conditions.
By installing and using this extension, you agree to be bound by the DepsDiver EULA. See the LICENSE file for complete terms and conditions.
Copyright © 2024-2025 Hunted Labs, Inc. All rights reserved.
