Enterprise-grade non-AI static application security testing. Detects SQL Injection, XSS, Command Injection, Path Traversal, SSRF, hardcoded secrets, and more — in real-time as you code.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Deterministic, Real-Time Static Application Security Testing (SAST) for VS Code.
CodeRisk provides an elite, non-AI security analysis engine that detects high-impact vulnerabilities like SQL Injection, XSS, and Command Injection as you code. Unlike AI-based scanners, CodeRisk is 100% deterministic, zero-telemetry, and runs entirely on your machine.
🚀 Key Features
📊 Security Dashboard
A professional, rich UI dashboard to manage your repository's security posture:
Security Score Gauge: Instant visualization of your project's risk level.
File Risk Heatmap: Identify which files contain the most critical issues.
Findable & Sortable Findings: Filter by Severity, CWE, or Taint Flow status.
Detailed Vulnerability Views: View the full source-to-sink taint flow for data-driven vulnerabilities.
🌲 Sidebar & Navigation
Hierarchical Tree View: Findings organized by Severity → Rule → File.
Deep Linking: Click any finding to jump directly to the vulnerable line in your editor.
Status Bar Summary: A constant, unobtrusive shield icon showing your current finding count.
✍️ Rich Editor Integration
Gutter Icons: Visual severity markers right next to your line numbers.
Inline Annotations: Immediate rule labels at the end of vulnerable lines.
CodeLens Actions: One-click to view the fix or see the detailed analysis.
Hover tooltips: Instant CWE mapping and fix recommendations on hover.
🔍 Automated Scanning
Full-Repo Auto-Scan: Automatically analyze your entire project on startup.
Real-Time On-Type: Debounced background scanning as you write code.
On-Save Scan: Automatic verification every time you save.
