Jsmon Code Scanner
Scan your source code for leaked keys, secrets, vulnerabilities, and other security issues directly from VS Code — powered by Jsmon.
Features
Scan Files & Folders
Right-click any file or folder in the Explorer to scan it with Jsmon. You can also right-click inside an open editor to scan the current file.
- Single file scan — right-click in the editor or on a file
- Multi-file scan — select multiple files, right-click
- Folder scan — right-click a folder to scan all files recursively
- Files matching
.jsmonignore patterns are automatically skipped
Keys & Secrets Detection
After each scan, the extension automatically checks for leaked keys, secrets, and sensitive data. Results are shown in a dedicated Keys & Secrets panel with:
- Severity-coded findings (Critical, High, Medium, Low)
- Matched patterns, occurrence counts, and module info
- Per-file grouping with click-to-open
Intelligence Data
Browse extracted intelligence from your scanned files in the Intelligence panel:
| Category |
Examples |
| Discovery |
URLs, Domains, API Paths, JS URLs |
| Security |
Keys, Secrets, JWT Tokens |
| Cloud |
S3 Buckets, AWS Assets, CloudFront, Lambda |
| Vulnerabilities |
DOM XSS, Open Redirects, SQL Injection, JS Injection |
| GraphQL |
Queries, Mutations, Fragments |
| Network |
Emails, IP Addresses, Localhost URLs |
| Node Modules |
Dependency Confusion candidates |
Each result shows which file it originated from.
File Decorations
Scanned files are marked in the Explorer:
- 🐞 Red — Critical or high severity detections found
- 🐞 Grey — Medium or low severity detections found
- ✓ Blue — Scanned, no detections
Persistent State
Scan results, detection data, and file mappings are preserved across VS Code restarts. No need to re-scan after reloading.
Getting Started
1. Get your Jsmon credentials
Sign up at jsmon.sh and grab your:
Open the command palette (Cmd+Shift+P / Ctrl+Shift+P) and run:
Jsmon: Open Settings
Enter your API Key, Workspace ID, and Hostname (defaults to https://api-dev.jsmon.sh).
3. Scan your code
- Right-click a file in the Explorer → Jsmon: Scan Selected Files
- Right-click a folder → Jsmon: Scan Folder
- Right-click in the editor → Scan with Jsmon
4. View results
Jsmon: Show Keys & Secrets — view detected keys, secrets, and sensitive dataJsmon: Show Intelligence Data — browse URLs, domains, vulnerabilities, and more
Commands
| Command |
Description |
Scan with Jsmon |
Scan the currently open file |
Jsmon: Scan Selected Files |
Scan selected files in Explorer |
Jsmon: Scan Folder |
Recursively scan a folder |
Jsmon: Open Settings |
Configure API key, workspace ID, hostname |
Jsmon: Show Keys & Secrets |
Open the Keys & Secrets findings panel |
Jsmon: Show Intelligence Data |
Open the Intelligence data panel |
Jsmon: Refresh Detection Findings |
Re-check all scanned files for new detections |
Settings
| Setting |
Description |
Default |
jsmon.apiEndpoint |
Jsmon API endpoint URL |
https://api-dev.jsmon.sh |
jsmon.workspaceId |
Your Jsmon workspace ID |
— |
jsmon.apiKey |
Your Jsmon API key |
— |
Inline Secret Highlighting
When leaked secrets are detected in a file, the extension highlights them directly in the editor:
- Squiggly underline on the exact leaked value (blue for medium/low, yellow for critical/high)
- Line glow — subtle blue background on the entire line
- Inline hint — italic text after the line:
⚠ JSMon: move to .env
- Problems panel — all detections appear in VS Code's Problems tab so you can click to jump to them
- Hover tooltip — hover over a highlighted line to see severity, module name, and remediation advice
These highlights persist across tab switches and VS Code restarts.
.jsmonignore
The extension automatically creates a .jsmonignore file in your workspace root when it activates. If it wasn't created automatically (e.g., no workspace folder was open at the time), you can create it manually — just add a file named .jsmonignore in the root of your project.
What does it do?
Any file or folder matching a pattern in .jsmonignore will be skipped during JSMon scans. This keeps your scans fast and avoids sending irrelevant files (dependencies, build output, lock files) to the API.
One pattern per line. Lines starting with # are comments. Patterns are matched against file names and directory names in the relative path.
Example .jsmonignore
# Environment files (already contain secrets — no need to scan)
.env
.env.*
.env.local
.env.development
.env.production
.env.staging
# Dependencies
node_modules
# Version control
.git
# Build output
dist
build
out
# Lock files (no secrets in here)
package-lock.json
yarn.lock
pnpm-lock.yaml
# IDE / editor config
.vscode
.idea
How patterns are matched
| Pattern |
What it skips |
node_modules |
Any file inside a node_modules directory |
.env |
Any file named exactly .env |
.env.* |
Any file starting with .env. (e.g., .env.local, .env.production) |
dist |
Any file inside a dist directory, or a file named dist |
package-lock.json |
Any file named exactly package-lock.json |
Tips
- If you scan a folder and wonder why some files were skipped, check your
.jsmonignore
- The extension logs how many files were skipped in each scan (visible in the Output channel)
- You can edit
.jsmonignore at any time — changes take effect on the next scan
Requirements
- A Jsmon account with an API key
- VS Code 1.80.0 or later
License
See LICENSE for details.
