Insomnia SAST for VS Code

Catch hardcoded secrets & code vulnerabilities before they leave your laptop.
Inline highlights as you type · one-click fixes · a git push gate that blocks leaks — the same engine as your CI pipeline, so there's no rule drift between your machine and the build.

https://marketplace.visualstudio.com/items?itemName=InsomniaSAST.insomnia

Plugin home · SDLC pipeline · Manifest

▶ See it in action

▶ Watch the SDLC overview video · Read the full SDLC walkthrough →

Install

In VS Code (recommended)

Open Extensions (Ctrl/Cmd+Shift+X), search “Insomnia SAST”, and click Install — or grab it from the VS Code Marketplace.

code --install-extension InsomniaSAST.insomnia

On first scan the extension auto-downloads the matching sast engine for your OS and verifies its SHA-256 — nothing else to set up.

Prefer the standalone CLI? (same engine, for CI/CD & the terminal)

Method	Command
pip (any OS, Python 3.8+)	`pip install sast` · `pipx install sast`
Homebrew (macOS/Linux)	`brew tap vulnz/sast && brew install sast`
Windows	`pip install sast` (PowerShell)

Debian / Ubuntu — signed apt repo

curl -sSL https://insom.ai/apt/public-key.asc | sudo gpg --yes --dearmor \
  -o /usr/share/keyrings/insomnia-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/insomnia-archive-keyring.gpg] https://insom.ai/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/insomnia.list
sudo apt-get update && sudo apt-get install -y sast

Single-binary download (Fedora / Arch / Alpine / air-gapped)

curl -sSL https://insom.ai/latest/sast/linux -o /usr/local/bin/sast   # or .../macos
chmod +x /usr/local/bin/sast
sast --version

Then run a scan anywhere:

sast . --fail-on high --format html,json,sarif --report

Other editors

JetBrains (PyCharm / PhpStorm / WebStorm / GoLand / IntelliJ) and Visual Studio 2022 plugins are on the plugin page — same engine, same results.

What it does

🛡️ “Vulnerabilities” sidebar + “All Issues” dashboard — a dedicated activity-bar panel plus a rich dashboard with severity counts, filter chips, search, and group-by (file / severity / rule).
⚡ Live guarding as you work — opening a file instantly highlights risky lines and hardcoded secrets: squiggles, a line highlight, scrollbar markers, and an inline hint above each flagged line (⚠ HIGH: SQL Injection — use parameterized queries) you can click for CWE + the fix.
🔎 Scan anything — a Scan… dropdown picks the scope: current file, open tabs, a folder, the whole project, or changed files (git). Folders also get a right-click Scan This Folder.
🔐 Push protection — one command installs a .git/hooks/pre-push hook that aborts the push (exit 1) when anything at or above your failOn severity is found — even for terminal pushes. Bypass once with git push --no-verify.
✅ Mark false positives — dismiss from the tree, the editor lightbulb, or the dashboard; it won’t return on re-scan, and you can restore anytime.
🌍 Speaks your language — the entire UI is localized into 9 languages (English, Русский, 简体中文, Українська, Türkçe, Қазақша, Español, Deutsch, Français), following your VS Code display language.

One engine, everything covered

Multi-language SAST + taint (16 languages), secrets with live key validation, dependency/SCA CVEs, container & OS-package CVEs, IaC misconfig, CMS advisories, and web-shell detection — exported as SARIF / JSON / HTML. See the full coverage & comparison →

Commands (`Ctrl/Cmd+Shift+P`)

Command	Action
`Insomnia SAST: Scan…`	Pick a scope — file / open tabs / folder / project / changed
`Insomnia SAST: All Issues`	Open the dashboard (filter, search, group, dismiss)
`Insomnia SAST: Scan Current File`	Scan the active editor file (also on the right-click menu)
`Insomnia SAST: Mark as False Positive`	Dismiss a finding so it won't show again
`Insomnia SAST: Restore All False Positives`	Bring back everything you've dismissed
`Insomnia SAST: Pause / Resume Auto-Scan`	Stop / restart automatic scanning of opened & saved files
`Insomnia SAST: Enable Push Protection`	Install the git pre-push hook
`Insomnia SAST: Disable Push Protection`	Remove the hook (only if managed by this extension)
`Insomnia SAST: Preview Push Guard`	Run the gate now, report pass/block
`Insomnia SAST: Download / Update Scanner Binary`	Force a fresh SHA-256-verified engine download
`Insomnia SAST: Clear Findings`	Empty the Problems list

Settings

Two independent axes — what to look for (Mode) and which files to cover (Scope) — and the interactive scan and the push gate each have their own, so you can run a quick secrets-only scan while you work but force a full repo scan before every push.

Setting	Default	Meaning
`insomniaSast.language`	`auto`	UI language: `auto` or `en`/`ru`/`zh-cn`/`uk`/`tr`/`kk`/`es`/`de`/`fr`.
`insomniaSast.binaryPath`	`""`	Path to `sast`/`insomnia-sast(.exe)`. Empty = auto-detect.
`insomniaSast.autoDownloadBinary`	`true`	Download the OS-matched engine from insom.ai (SHA-256 verified) if none is found locally.
`insomniaSast.manifestUrl`	`https://insom.ai/api/plugin/manifest`	Per-OS binary manifest (filenames + SHA-256).
`insomniaSast.downloadBaseUrl`	`https://insom.ai/latest/sast/`	Base URL the binary is fetched from.
`insomniaSast.incrementalCache`	`true`	Hash scanned files and skip unchanged ones on re-scan.
`insomniaSast.failOn`	`high`	Push is blocked at/above this severity.
`insomniaSast.scanMode`	`full`	Interactive: `full` (secrets+vulns+CVEs) or `secrets-only` (fast).
`insomniaSast.scanScope`	`open-tabs`	Interactive: `workspace` / `changed` / `open-tabs`.
`insomniaSast.pushScanMode`	`full`	Push gate: `full` or `secrets-only`.
`insomniaSast.pushScanScope`	`workspace`	Push gate: `workspace` (full code) or `changed` (pushed commits only).
`insomniaSast.scanOnOpen`	`true`	Scan & highlight a file the moment you open it.
`insomniaSast.scanOnSave`	`true`	Re-scan a file on every save.
`insomniaSast.scanOnStartup`	`true`	Scan open tabs once when the window opens.
`insomniaSast.codeLens`	`true`	Inline hint above each flagged line (severity + rule + one-line fix).
`insomniaSast.highlightLines`	`true`	Line background + scrollbar marker on flagged lines.
`insomniaSast.excludeGlobs`	`[]`	Extra globs to skip (`node_modules`, `.git`, `dist`, `vendor` are always skipped).
`insomniaSast.autoScanDebounce`	`400`	Quiet period (ms) after a save/open before auto-scanning.
`insomniaSast.scanTimeoutSeconds`	`180`	Abort a single scan after N seconds (`0` = no timeout).
`insomniaSast.pythonPath`	`python`	Interpreter for the `sast_cli.py` source fallback.
`insomniaSast.cliScriptPath`	`""`	Path to `sast_cli.py` (fallback). Empty = workspace root.

Want to stop continuous scanning? Flip scanOnOpen/scanOnSave off, or click Pause Auto-Scan (sidebar / status bar) to disable all of it at once. After changing pushScanMode / pushScanScope / failOn, re-run Enable Push Protection to regenerate the hook.

How the scanner is located

insomniaSast.binaryPath if set
dist_sast/sast(.exe) in the workspace
A previously auto-downloaded copy (extension global storage)
python sast_cli.py (workspace root or cliScriptPath)
Auto-download the OS-matched build from insom.ai (SHA-256 verified)
sast / insomnia-sast on PATH

insom.ai/en/plugin · insom.ai/en/sdlc
_{Free · same engine as the Insomnia CI pipeline · SHA-256 published in the manifest}

SAST

CQR Cybersecurity. Insomnia SAST.