Overview
CyberAudit brings vulnerability auditing into the editor workflow, eliminating context switching to external CLI tools.
When a supported lockfile is active, you can run a full dependency security analysis with one command and inspect results in a dedicated webview.
The extension analyzes unique package@version entries, queries the public OSV.dev database in batches with timeout/retry controls, and returns actionable results with direct references (CVE, GHSA, OSV).
Key Features
- Native security audit experience inside VS Code.
- Support for
package-lock.json (v1, v2, v3).
- Support for
yarn.lock (Classic v1 and Berry v2+).
- Support for
pnpm-lock.yaml.
- Dependency deduplication by
name@version for faster scans.
- Batch querying against
https://api.osv.dev/v1/querybatch.
- Live progress with cancel support.
- Retry and timeout protection for network failures.
- Quick filtering between all packages and vulnerable-only results.
- Search by package name in the audit table.
- Persistent last report with reopen support.
- JSON export for the latest audit report.
Supported Lockfiles
| Ecosystem |
File |
Versions |
| npm |
package-lock.json |
v1, v2, v3 |
| Yarn |
yarn.lock |
Classic v1, Berry v2+ |
| pnpm |
pnpm-lock.yaml |
modern lockfile formats |
How It Works
- Open a supported lockfile (or run workspace/specific lockfile commands).
- Run one of the CyberAudit commands.
- CyberAudit parses and normalizes dependencies.
- Unique dependencies are sent to OSV.dev in batches.
- Results are rendered in the CyberAudit Auditor panel.
Commands
CyberAudit: Audit Vulnerabilities (CyberAudit)
Audits the currently active lockfile.CyberAudit: Audit Workspace Lockfiles (CyberAudit)
Finds and audits all supported lockfiles in the workspace.CyberAudit: Audit Selected Lockfile (CyberAudit)
Lets you pick one supported lockfile to audit.CyberAudit: Reopen Last Audit Report (CyberAudit)
Reopens the last persisted report without re-querying.CyberAudit: Export Last Audit as JSON (CyberAudit)
Exports the latest report to a JSON file.
Settings
Configure in VS Code settings under CyberAudit:
cyberaudit.batchSize
Number of package queries per OSV request.cyberaudit.requestTimeoutMs
Timeout for each OSV request.cyberaudit.maxRetries
Number of retries when a request fails.cyberaudit.autoOpenVulnerableOnly
Opens report with vulnerable filter enabled.
Audit Dashboard
The webview is optimized for fast triage:
- Real-time progress bar.
- Cancelable execution via VS Code progress notification.
- Summary cards:
Total, Vulnerable, Safe.
- Table with package, version, status, and references.
- Fast filter for vulnerable packages only.
- Package name search input.
- Metadata display (target file, duration, timestamp).
Privacy
CyberAudit only sends the minimum required metadata for vulnerability lookup:
- Package name
- Package version
No source code, project files, or workspace-sensitive content is transmitted.
Distribution
CyberAudit is maintained as a private extension for internal use.
Distribution, versioning, and access control are managed in a restricted environment.
Development
Requirements
- Node.js (LTS recommended)
- VS Code
^1.90.0
Local Setup
npm install
npm run compile
Run Tests
npm test
Package Extension
npm run package
Roadmap
- Severity classification and scoring in UI.
- Auto re-scan on lockfile changes.
- Optional SARIF/CSV export.
- Improved monorepo grouping and report comparison.
Repository
- Private source repository and internal issue tracking.
License
This project is licensed under the MIT License. See LICENSE for details.
