Levo Lens
Detect API vulnerabilities directly in your code editor, powered by Levo.ai.
Features
- API Endpoint Detection: Automatically detects API endpoints in your code using built-in LLM
- Vulnerability & Findings Overlays: See security vulnerabilities and findings directly in your editor with gutter icons and hover details
- Workspace Scanning: Scan entire workspaces or specific directories for comprehensive security analysis
- Problems Panel Integration: Vulnerabilities and findings appear in VS Code's Problems panel for easy navigation
- Multi-Framework Support: Works with Express.js, Flask, Django, FastAPI, and Spring Boot
- Smart Caching: Results are cached for fast subsequent scans
Supported Editors
This extension works in:
- VS Code (with GitHub Copilot)
- Cursor
- Windsurf
Prerequisites
LLM Access: This extension requires a built-in Language Model API:
- VS Code: Install GitHub Copilot
- Cursor/Windsurf: Built-in LLM support included
Levo Account: You need a Levo.ai account to fetch vulnerability data
Installation
From VSIX
- Download the
.vsix file from the releases page
- Open VS Code/Cursor/Windsurf
- Press
Ctrl+Shift+P (or Cmd+Shift+P on macOS)
- Type "Install from VSIX" and select the command
- Choose the downloaded
.vsix file
From Source
git clone https://github.com/levoai/vscode-plugin.git
cd vscode-plugin
npm install
npm run build
npm run package
Then install the generated .vsix file as described above.
Getting Started
Set your authentication token:
- Press
Ctrl+Shift+P / Cmd+Shift+P
- Run "Levo: Set Authentication Token"
- Paste your Levo refresh token
Scan a file:
- Open a file containing API endpoints (JavaScript, TypeScript, Python, or Java)
- Press
Ctrl+Shift+P / Cmd+Shift+P
- Run "Levo: Scan Current File for API Vulnerabilities"
View results:
- Gutter icons indicate severity (red = critical, orange = high, yellow = medium, blue = low)
- Hover over endpoints to see vulnerability and finding details
- Check the Problems panel for a list of all issues
Scan workspace (optional):
- Press
Ctrl+Shift+P / Cmd+Shift+P
- Run "Levo: Scan Workspace"
- Choose to scan the entire workspace or a specific directory
- View the summary panel with aggregated results
Commands
| Command |
Description |
Levo: Scan Current File for API Vulnerabilities |
Scan the current file for API endpoints and vulnerabilities |
Levo: Scan Workspace |
Scan the entire workspace or a specific directory for API endpoints and vulnerabilities |
Levo: Clear Vulnerability Overlays |
Remove all vulnerability decorations from the current file |
Levo: Set Authentication Token |
Configure your Levo refresh token |
Levo: Logout |
Clear stored authentication tokens |
Levo: Show Connection Status |
View extension status and diagnostics |
Configuration
Configure the extension in VS Code settings (Ctrl+, / Cmd+,):
| Setting |
Default |
Description |
levo.apiBaseUrl |
https://api.levo.ai |
Levo API base URL |
levo.autoScanOnOpen |
true |
Automatically scan files when opened |
levo.autoScanOnSave |
false |
Automatically scan files when saved |
levo.cacheTtlSeconds |
300 |
Cache duration for scan results (seconds) |
levo.showInProblemsPanel |
true |
Show vulnerabilities in Problems panel |
levo.showGutterIcons |
true |
Show severity icons in editor gutter |
levo.maxFileSizeKb |
500 |
Maximum file size to scan (KB) |
levo.organizationId |
"" |
Levo organization ID (optional - will be auto-detected if not set) |
levo.environmentName |
"" |
Levo environment name (required for resolving application ID) |
levo.applicationName |
"" |
Levo application name (required for resolving application ID) |
levo.workspaceScanBatchSize |
10 |
Number of files to scan in parallel during workspace scan |
levo.workspaceScanExcludePatterns |
["**/node_modules/**", ...] |
File patterns to exclude from workspace scan |
levo.workspaceScanDirectory |
"" |
Directory to scan (relative to workspace root). Leave empty to scan entire workspace |
Severity Levels
| Icon |
Severity |
Problems Panel |
| Red |
CRITICAL |
Error |
| Orange |
HIGH |
Error |
| Yellow |
MEDIUM |
Warning |
| Blue |
LOW |
Information |
| Gray |
INFO |
Information |
Supported Frameworks
The extension detects API endpoints from:
- JavaScript/TypeScript/JSX/TSX: Express.js
- Python: Flask, Django, FastAPI
- Java: Spring Boot
Vulnerabilities vs Findings
The extension displays two types of security information:
- Vulnerabilities: Confirmed security issues with severity levels (CRITICAL, HIGH, MEDIUM, LOW, INFO)
- Findings: Security observations and recommendations with risk scores (0-10), including rule-based checks and CWE mappings
Both are displayed in the editor with appropriate icons and can be viewed in detail via hover tooltips or the Problems panel.
Troubleshooting
LLM Not Available
If you see "LLM not available" message:
- VS Code: Ensure GitHub Copilot is installed and you're signed in
- Cursor/Windsurf: The LLM should be available by default
Authentication Failed
If authentication fails:
- Go to Levo Dashboard
- Generate a new refresh token
- Run "Levo: Set Authentication Token" to update
No Endpoints Detected
- Ensure the file contains actual API endpoint definitions
- Check that the file language is JavaScript, TypeScript, JSX, TSX, Python, or Java
- Try reducing file size if it exceeds the limit
Workspace Scan Issues
- Ensure you have a workspace folder open
- Check that the scan directory path (if configured) exists and is valid
- Review excluded patterns in settings if files are being skipped unexpectedly
- Workspace scans require authentication to fetch vulnerability data
View Logs
- Run "Levo: Show Connection Status"
- Select "Show Logs" to open the output channel
Privacy & Security
- Your refresh token is stored securely in VS Code's encrypted SecretStorage
- Access tokens are kept in memory only and never persisted
- Source code is sent to the LLM for endpoint detection (same as code completion)
- Only endpoint paths and methods are sent to Levo API
- Workspace scans can be limited to specific directories for privacy
Support
License
MIT License - see LICENSE for details.
Made with love by Levo.ai
