Levo Lens
Detect API vulnerabilities directly in your code editor, powered by Levo.ai.
Features
- API Endpoint Detection: Automatically detects API endpoints in your code using built-in LLM
- Vulnerability Overlays: See security vulnerabilities directly in your editor with gutter icons and hover details
- Problems Panel Integration: Vulnerabilities appear in VS Code's Problems panel for easy navigation
- Multi-Framework Support: Works with Express.js, Flask, Django, FastAPI, and Spring Boot
- Smart Caching: Results are cached for fast subsequent scans
Supported Editors
This extension works in:
- VS Code (with GitHub Copilot)
- Cursor
- Windsurf
Prerequisites
LLM Access: This extension requires a built-in Language Model API:
- VS Code: Install GitHub Copilot
- Cursor/Windsurf: Built-in LLM support included
Levo Account: You need a Levo.ai account to fetch vulnerability data
Installation
From VSIX
- Download the
.vsix file from the releases page
- Open VS Code/Cursor/Windsurf
- Press
Ctrl+Shift+P (or Cmd+Shift+P on macOS)
- Type "Install from VSIX" and select the command
- Choose the downloaded
.vsix file
From Source
git clone https://github.com/levoai/vscode-extension.git
cd vscode-extension
npm install
npm run build
npm run package
Then install the generated .vsix file as described above.
Getting Started
Set your authentication token:
- Press
Ctrl+Shift+P / Cmd+Shift+P
- Run "Levo: Set Authentication Token"
- Paste your Levo refresh token
Scan a file:
- Open a file containing API endpoints (JavaScript, TypeScript, Python, or Java)
- Press
Ctrl+Shift+P / Cmd+Shift+P
- Run "Levo: Scan Current File for API Vulnerabilities"
View results:
- Gutter icons indicate severity (red = critical, orange = high, yellow = medium, blue = low)
- Hover over endpoints to see vulnerability details
- Check the Problems panel for a list of all issues
Commands
| Command |
Description |
Levo: Scan Current File for API Vulnerabilities |
Scan the current file for API endpoints and vulnerabilities |
Levo: Clear Vulnerability Overlays |
Remove all vulnerability decorations from the current file |
Levo: Set Authentication Token |
Configure your Levo refresh token |
Levo: Logout |
Clear stored authentication tokens |
Levo: Show Connection Status |
View extension status and diagnostics |
Configuration
Configure the extension in VS Code settings (Ctrl+, / Cmd+,):
| Setting |
Default |
Description |
levo.apiBaseUrl |
https://api.levo.ai |
Levo API base URL |
levo.autoScanOnOpen |
true |
Automatically scan files when opened |
levo.autoScanOnSave |
false |
Automatically scan files when saved |
levo.cacheTtlSeconds |
300 |
Cache duration for scan results (seconds) |
levo.showInProblemsPanel |
true |
Show vulnerabilities in Problems panel |
levo.showGutterIcons |
true |
Show severity icons in editor gutter |
levo.maxFileSizeKb |
500 |
Maximum file size to scan (KB) |
Severity Levels
| Icon |
Severity |
Problems Panel |
| Red |
CRITICAL |
Error |
| Orange |
HIGH |
Error |
| Yellow |
MEDIUM |
Warning |
| Blue |
LOW |
Information |
| Gray |
INFO |
Information |
Supported Frameworks
The extension detects API endpoints from:
- JavaScript/TypeScript: Express.js
- Python: Flask, Django, FastAPI
- Java: Spring Boot
Troubleshooting
LLM Not Available
If you see "LLM not available" message:
- VS Code: Ensure GitHub Copilot is installed and you're signed in
- Cursor/Windsurf: The LLM should be available by default
Authentication Failed
If authentication fails:
- Go to Levo Dashboard
- Generate a new refresh token
- Run "Levo: Set Authentication Token" to update
No Endpoints Detected
- Ensure the file contains actual API endpoint definitions
- Check that the file language is JavaScript, TypeScript, Python, or Java
- Try reducing file size if it exceeds the limit
View Logs
- Run "Levo: Show Connection Status"
- Select "Show Logs" to open the output channel
Privacy & Security
- Your refresh token is stored securely in VS Code's encrypted SecretStorage
- Access tokens are kept in memory only and never persisted
- Source code is sent to the LLM for endpoint detection (same as code completion)
- Only endpoint paths and methods are sent to Levo API
Support
License
MIT License - see LICENSE for details.
Made with love by Levo.ai
| |
