Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>Mondoo SecurityNew to Visual Studio Code? Get it now.
Mondoo Security

Mondoo Security

Mondoo

|
81 installs
| (1) | Free
VS Code extension for Mondoo security with cnspec (infrastructure & policy) and xgrep (code), including AI agent skills for both.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Mondoo Security for VS Code

Catch security issues while you write code, and verify that the infrastructure you run is configured securely — all without leaving VS Code. The extension brings Mondoo's two security scanners, xgrep and cnspec, into the editor, along with AI assistance that works with the language model you already have in VS Code.

What it does

The extension covers three sides of your security work, each with its own view in the Mondoo sidebar:

🔍 Code security — find and fix issues as you type

Powered by xgrep, Mondoo's software development security scanner.

  • Live findings for vulnerabilities and leaked secrets appear in the editor and the Problems panel the moment you open or edit a file — no account, no configuration. The scanner installs automatically from npm on first use.
  • Fix or dismiss in one click with Code Actions: apply the rule's fix, or suppress a false positive with a reason that's recorded in a comment and holds in CI too.
  • Fix with AI, verified by xgrep — for findings without a mechanical fix, your own language model authors the change from xgrep's fix contract and xgrep verifies it (must parse, clear the finding, and add no new one) before you approve it in a diff preview. No account; nothing is written until you accept.
  • Workspace and changed-files scans for a full sweep or a quick pre-commit check, with a live finding count in the status bar.

🛡️ Infrastructure security — check systems against policies

Powered by cnspec, Mondoo's infrastructure security scanner, using MQL (Mondoo Query Language).

  • Run policies and queries against your local machine, SSH hosts, Docker, Kubernetes, and the major clouds (AWS, Azure, GCP) — with credentials kept in your OS keychain, never in settings.
  • A full policy authoring workbench: tree view, search, pins, and bulk operations for your .mql.yaml bundles.
  • MQL language intelligence via the built-in cnspec language server — diagnostics, completion, hover, quickfixes, go-to-definition, find references, and CodeLens "Run Query" actions.
  • Lint, format-on-save, and offline validation — queries compile locally before they ever run against a target.

📦 Bill of materials — know what's inside

  • SBOM (software bill of materials) for your source-code dependencies or the packages on a running asset.
  • AIBOM (AI bill of materials) inventorying the AI/ML models and agents in scope.
  • Standard formats — CycloneDX, SPDX, JSON — that drop straight into compliance workflows and CI. Generation runs fully offline.

🤖 AI assistance

  • @mondoo chat participant — your conversational entry point to both scanners, running on the language model already configured in VS Code (no Mondoo account needed):

    • Explain & triage findings (the default flow) — ask @mondoo whether an xgrep code finding or cnspec policy-lint finding is actually exploitable here and how to fix it. The answer is enriched with xgrep's code graph (call neighborhood and dataflow), and you can keep asking follow-up questions like "how would an attacker exploit this?" or "show me the fix as a diff."
    • @mondoo /query — generate an MQL query from a natural-language security check.
  • One-click explain — the Explain Finding (AI) Code Action on any xgrep or cnspec-lint finding opens the same @mondoo triage chat pre-loaded with that finding.

  • Language model tools — #cnspec runs scans and policy commands and #mqlSchema looks up MQL providers, resources, and fields, both available to agent mode and Copilot Chat.

  • AI agent skills for Claude Code — bring Mondoo's deeper analysis into your agent:

    • Mondoo Infrastructure Security: Install AI Skills adds the mql and policy-graph skills from the cnspec repo for writing MQL and navigating policy bundles.
    • Mondoo Code Security: Install AI Skills adds xgrep's code-security skills (inspect, rule authoring, triage) for working with code findings.

    xgrep's analysis (code graph, symbol inspection, scanning) is also exposed to AI coding agents over MCP — Copilot agent mode discovers it automatically.

Getting started

  1. Install the extension from the Visual Studio Marketplace or Open VSX.
  2. Open the Mondoo view in the Activity Bar, or run Get Started from the Command Palette to launch the guided walkthroughs.
  3. Code security works immediately — open a file and findings appear as you type. For infrastructure scanning, the extension detects cnspec and guides you through installation if it's missing.

The extension only runs in trusted workspaces because it executes the cnspec and xgrep binaries against workspace files.

Requirements

  • Visual Studio Code 1.101 or later
  • cnspec for infrastructure scanning (auto-detected; the extension guides you through installation if it's missing)
  • The xgrep code scanner installs automatically — no setup needed

Tools & documentation

  • cnspec — open-source infrastructure security scanner: mondoo.com/cnspec
  • xgrep — software development security scanner: mondoo.com/xgrep
  • Documentation — guides, MQL reference, and how-tos: mondoo.com/docs

Getting help

  • Extension guide: docs/index.md — getting started, code security, infrastructure security, bill of materials, and settings
  • Developing this extension: DEVELOPMENT.md — build, run in dev mode, and test
  • Install the extension: Visual Studio Marketplace · Open VSX
  • Issues: GitHub Issues
  • Community: Mondoo Community
  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft