MergeGuide Policy Checker for VS Code
Real-time security and code quality policy checking directly in your editor. MergeGuide scans your code as you type, highlights policy violations inline, and provides actionable remediation guidance — catching issues before they reach code review or CI.
Features
- Real-time scanning --- policy violations appear as you type, with inline squiggly underlines and gutter icons
- 15+ language support --- Python, JavaScript, TypeScript, JSX, TSX, Java, Go, Ruby, PHP, C#, C/C++, Rust, SQL, Kotlin, Swift, and more
- Activity bar sidebar --- dedicated MergeGuide panel with three views: Policy Violations, Policies, and Evaluations
- Pre-commit hook --- optional shell-based git hook that blocks commits with policy violations (configurable severity gate)
- API key authentication --- securely stored via VS Code SecretStorage (OS keychain); connect to your MergeGuide dashboard for team policy sync
- Code actions --- quick-fix suggestions for common violations
- Hover details --- hover over underlined code for violation details and remediation guidance
- Status bar indicator --- see scan status at a glance
- Language Server Protocol --- LSP-based architecture for fast, reliable diagnostics
Installation
- Open VS Code
- Go to the Extensions view (
Ctrl+Shift+X / Cmd+Shift+X)
- Search for MergeGuide
- Click Install
Getting Started
1. Set your API key
Run the command MergeGuide: Set API Key from the Command Palette (Ctrl+Shift+P / Cmd+Shift+P).
Your API key is available from your organization's MergeGuide dashboard at portal.mergeguide.ai. Navigate to Settings > API Keys to generate or copy your key.
Keys are stored securely in VS Code's SecretStorage (backed by your OS keychain). They are never written to settings files in plain text.
2. Open a supported file
Once authenticated, MergeGuide scans files automatically on open and as you type. Violations appear as inline diagnostics in the editor and in the Problems panel.
3. Review violations
- Click the MergeGuide icon in the Activity Bar to open the sidebar
- Check the Policy Violations view for a summary of all findings
- Hover over underlined code for details and fix guidance
- Use Quick Fix (
Ctrl+. / Cmd+.) for one-click remediation where available
Configuration
All settings are under mergeguide.* in VS Code Settings.
| Setting |
Type |
Default |
Description |
mergeguide.enable |
boolean |
true |
Enable or disable MergeGuide policy checking |
mergeguide.apiUrl |
string |
https://portal.mergeguide.ai |
MergeGuide dashboard API base URL |
mergeguide.apiKey |
string |
"" |
API key (deprecated --- use the Set API Key command instead) |
mergeguide.pythonPath |
string |
python3 |
Path to Python interpreter |
mergeguide.mergeguidePath |
string |
"" |
Path to MergeGuide installation (leave empty for global) |
mergeguide.debounceMs |
number |
300 |
Debounce delay in milliseconds before scanning |
mergeguide.maxFileSizeKb |
number |
1024 |
Maximum file size in KB to scan (larger files are skipped) |
mergeguide.policyCacheTtlMs |
number |
300000 |
Policy cache time-to-live in milliseconds (default: 5 minutes) |
mergeguide.preCommitHook |
enum |
prompt |
Pre-commit hook behavior: prompt, always, or never |
mergeguide.preCommitCheck |
boolean |
true |
Enable MergeGuide pre-commit policy check |
mergeguide.preCommitBlockOnErrors |
boolean |
true |
Block commits when error-severity violations are found |
mergeguide.trace.server |
enum |
off |
Language server trace level: off, messages, or verbose |
Commands
All commands are available via the Command Palette under the MergeGuide category.
| Command |
Description |
| MergeGuide: Check Current File |
Run a policy scan on the active file |
| MergeGuide: Check All Files in Workspace |
Scan all supported files in the workspace |
| MergeGuide: Set API Key |
Securely store your MergeGuide API key |
| MergeGuide: Clear API Key |
Remove the stored API key |
| MergeGuide: Check Authentication Status |
Verify your API key is valid |
| MergeGuide: Reload Policies |
Refresh the policy set from the server |
| MergeGuide: Pre-Commit Policy Check |
Manually run a pre-commit scan |
| MergeGuide: Install Pre-commit Hook |
Install the git pre-commit hook |
| MergeGuide: Uninstall Pre-commit Hook |
Remove the git pre-commit hook |
| MergeGuide: Refresh Violations |
Refresh the violations sidebar view |
| MergeGuide: Refresh Evaluations |
Refresh the evaluations sidebar view |
Supported Languages
| Language |
File Extensions |
| Python |
.py, .pyw, .pyi |
| JavaScript |
.js, .jsx, .mjs, .cjs |
| TypeScript |
.ts, .tsx, .mts, .cts |
| Java |
.java |
| Go |
.go |
| Ruby |
.rb, .rake, .gemspec |
| PHP |
.php |
| C# |
.cs |
| C/C++ |
.c, .cpp, .h, .hpp |
| Rust |
.rs |
| Kotlin |
.kt, .kts |
| Scala |
.scala |
| Swift |
.swift |
| Shell |
.sh, .bash, .zsh |
| PowerShell |
.ps1, .psm1 |
| Dart |
.dart |
| R |
.r, .R |
| Elixir |
.ex, .exs |
| SQL |
.sql |
| HCL/Terraform |
.hcl, .tf |
| YAML |
.yaml, .yml |
| JSON |
.json |
| XML |
.xml |
| HTML |
.html, .htm |
| CSS |
.css, .scss, .less |
| Markdown |
.md, .markdown |
| Groovy |
.groovy, .gradle |
How Detection Works in VS Code
The VS Code extension operates in pre-screening mode: it uses simplified regex-based pattern matching to surface policy violations as you type. This provides fast, real-time feedback during development.
The full MergeGuide detection engine (used by the CLI, CI pipeline, and GitHub App) includes additional capabilities such as Semgrep-powered semantic analysis, regex flags, and multi-condition rules. Some policies that use these advanced features may produce slightly different results in the VS Code extension compared to the CLI or CI.
For the most comprehensive scan, use the MergeGuide CLI (mergeguide scan) or configure the GitHub App for automated PR checks.
Pre-Commit Hook
MergeGuide can install a git pre-commit hook that scans staged files before each commit.
- Prompt mode (default): asks whether to install the hook when the extension activates
- Always mode: automatically installs the hook
- Never mode: disables hook installation
When preCommitBlockOnErrors is enabled (default), commits are blocked if any error-severity violations are found. Warnings and info-level findings are reported but do not block.
Requirements
- VS Code 1.85.0 or later
- Python 3.8+ (for the MergeGuide policy engine)
- A MergeGuide API key (get one at portal.mergeguide.ai)
Links
License
MIT
| |
