DepsDiver Assist
A code extension that scans your project dependencies for Foreign Ownership, Control, or Influence (FOCI) using the Hunted Labs DepsDiver API. For more information on DepsDiver and how to get an API token to use this extension, please visit https://huntedlabs.com/deps-diver/.
Feedback
Found a bug or have suggestions? We'd love to hear from you — submit feedback here.
Features
- Real-time FOCI scanning - Automatically scans package manager files as you type
- Multi-ecosystem support - Go, Python, JavaScript/TypeScript, Java (Maven & Gradle), Rust, Ruby, and .NET
- Lock file scanning - Scans lock files for resolved dependency trees in addition to manifest files
- OpenSSF Scorecard - View security scorecard for flagged repositories
- Sidebar panel - FOCI Concerns panel to view all flagged packages across your workspace
Supported Package Manager Files
| Ecosystem |
Manifest Files |
Lock Files |
| Go |
go.mod |
— |
| Python |
requirements.txt, requirements_*.txt, Pipfile, pyproject.toml |
Pipfile.lock, poetry.lock, requirements.lock, requirements-lock.txt |
| JavaScript / TypeScript |
package.json |
package-lock.json, npm-shrinkwrap.json, yarn.lock |
| Java (Maven) |
pom.xml |
— |
| Java (Gradle) |
build.gradle, build.gradle.kts |
— |
| Rust |
Cargo.toml |
Cargo.lock |
| Ruby |
Gemfile |
Gemfile.lock |
| .NET |
.csproj, .vbproj, .fsproj |
— |
Supported Editors
Configuration
Required
| Setting |
Description |
hlDiver.apiToken |
Your Hunted Labs DepsDiver API token |
Optional
| Setting |
Default |
Description |
hlDiver.apiUrl |
https://depsdiver.com/api |
The Hunted Labs Threat Intelligence API URL |
hlDiver.enableRealTimeScanning |
true |
Enable real-time scanning of dependencies as you type |
hlDiver.scanOnSave |
true |
Scan dependencies when a file is saved |
hlDiver.showInfoForCleanPackages |
false |
Show informational messages for packages without FOCI concerns |
hlDiver.highlightSeverity |
warning |
Severity level for FOCI warnings (error, warning, information, hint) |
hlDiver.cacheTimeoutMinutes |
60 |
How long to cache API results (in minutes) |
hlDiver.debounceDelayMs |
1000 |
Delay before scanning after typing (in milliseconds) |
hlDiver.fociThresholdPercentage |
50 |
FOCI percentage threshold (0-100). Below this is 'Low' risk, above is 'High' risk. After adjusting the settings you should run the Diver: Clear All Diagnostics command so the scanner does not incorrectly return results |
Commands
Available from Command Palette (Cmd+Shift+P)
| Command |
Description |
Diver: Scan Current File |
Scan the active file for FOCI concerns |
Diver: Scan Workspace |
Scan all supported files in workspace |
Diver: Clear All Diagnostics |
Clear all warnings and cache |
When you hover over a dependency with FOCI concerns, you'll see these interactive links:
- View Full Report - Opens the DepsDiver web UI with detailed analysis
- Show all X contributors - Opens a webview showing all contributors with FOCI concerns and their commit stats
- Show OpenSSF Scorecard - View the OpenSSF security scorecard for the package
- Suggest Alternatives - Opens your AI chat with a prompt to find safer alternative packages
Contributor Details
The "Show All Contributors" view displays FOCI-flagged contributors with:
- Commit count - Number of commits to the repository
- Lines of Code (LoC) - Total lines added + deleted
- FOCI details - Countries, emails, locations, and geocoded data
- Sort options - Sort by commits (default), LoC, or name
FOCI Concerns
Lists all packages with FOCI concerns across your workspace.
Quick Fix Actions
Click the lightbulb or press Cmd+. on a flagged dependency to see these options:
- Suggest alternative packages - Opens your AI chat with a pre-filled prompt asking for safer alternatives to the flagged package
- Suppress warning with
foci:ignore - Adds a comment to ignore this specific dependency from future FOCI scans
- Replace with alternative - Opens your AI chat with a prompt to help migrate to a specific alternative package
- View FOCI details - Opens the DepsDiver web UI with detailed analysis
Suppressing Warnings
Add a suppress comment on the same line or the line above the dependency. The comment syntax varies by file type:
Go (go.mod), Rust (Cargo.toml), Gradle (build.gradle)
// foci:ignore
github.com/some/package v1.2.3
Python (requirements.txt, Pipfile, pyproject.toml)
requests>=2.28.0 # foci:ignore
Ruby (Gemfile)
# foci:ignore
gem 'rails', '~> 7.0'
XML/Java (pom.xml) and JSON (package.json) do not support suppress comments.
Lock files are auto-generated and do not support suppress comments. To suppress a warning from a lock file, add the foci:ignore comment to the corresponding entry in the manifest file.
Telemetry
DepsDiver Assist collects anonymous usage data to help improve the extension. This telemetry automatically respects VS Code's telemetry opt-out setting (telemetry.telemetryLevel). No personally identifiable information is ever collected. File paths, package names, and API tokens are never sent.
The following events are tracked:
- Extension activation (configuration flags only, e.g. real-time scanning enabled)
- File scanned (ecosystem type, package count, FOCI count, scan trigger)
- Workspace scanned (file count, total FOCI count)
- Command usage (which command was run)
- API errors (ecosystem type only)
To disable telemetry, set "telemetry.telemetryLevel": "off" in your VS Code settings.
License
This extension is governed by the Hunted Labs DepsDiver Platform Terms and Conditions.
By installing and using this extension, you agree to be bound by the DepsDiver EULA. See the LICENSE file for complete terms and conditions.
Copyright © 2024-2026 Hunted Labs, Inc. All rights reserved.
