🛡️ SafeGuardian - VS Code Extension
Privacy-first security scanner that detects secrets, API keys, and sensitive files before you push to git.
🚀 Quick Start
- Install the extension from VS Code Marketplace
- Open a git repository - the extension auto-activates
- Look at the status bar - you'll see
🛡️ SafeGuardian ✓ at the bottom left
- Save or stage files - automatic scanning happens in the background
📖 How to Use
Automatic Scanning
| Trigger |
What Happens |
| Save a file |
That file is scanned immediately |
Stage files (git add) |
All staged files are scanned |
| .git/index changes |
Auto-scan detects staging events |
Manual Commands
Press Ctrl+Shift+P (or Cmd+Shift+P on Mac) and type:
| Command |
Description |
SafeGuardian: Scan Staged Files |
Scan all currently staged files |
SafeGuardian: Scan Current File |
Scan the active editor file |
SafeGuardian: Run Auto-Fix |
Add flagged files to .gitignore |
Status Bar Indicators
| Icon |
Meaning |
🛡️ SafeGuardian ✓ |
No issues detected |
🛡️ SafeGuardian 🟢 |
Low risk issues found |
🛡️ SafeGuardian 🟡 |
Medium risk - warnings |
🛡️ SafeGuardian 🔴 |
High risk - secrets detected! |
Click the status bar to open the Problems panel.
Quick-Fix Actions
When your cursor is on a flagged line, press Ctrl+. (or Cmd+. on Mac) to see:
- Add to .gitignore - Prevent file from being committed
- Unstage this file - Remove from git staging area
- View documentation - Open this guide
🔍 What SafeGuardian Detects
🔐 Secrets & API Keys
| Type |
Pattern Example |
| OpenAI API Keys |
sk-proj-... |
| AWS Access Keys |
AKIA... |
| AWS Secret Keys |
aws_secret_access_key = ... |
| GitHub Tokens |
ghp_..., github_pat_... |
| Stripe Keys |
sk_live_..., sk_test_... |
| Google API Keys |
AIza... |
| Slack Tokens |
xoxb-..., xoxp-... |
| JWT Tokens |
eyJ... |
| Private Keys |
-----BEGIN PRIVATE KEY----- |
| Database URLs |
mongodb://..., postgres://... |
| Generic Passwords |
password = "..." |
📁 Sensitive Files (Hygiene)
Files that should never be committed:
| File Type |
Examples |
| Environment files |
.env, .env.local, .env.production |
| Credentials |
credentials.json, secrets.yaml |
| Private keys |
id_rsa, id_ed25519, *.pem, *.key |
| Dependencies |
node_modules/ |
| Build outputs |
dist/, build/, out/ |
| Log files |
*.log |
| Databases |
*.sqlite, *.db |
| Large files |
Files > 5MB |
🚫 Content Moderation
Detects inappropriate content in code:
- Explicit content
- Hate speech
- Abusive language
- Violence/threats
⚙️ Configuration
Go to File → Preferences → Settings and search for "SafeGuardian":
| Setting |
Default |
Description |
scanOnSave |
true |
Scan files when saved |
scanOnStage |
true |
Scan files when staged via git add |
showNotifications |
true |
Show popup notifications for issues |
maxFileSizeKB |
5120 |
Maximum file size to scan (5MB) |
Settings Example (settings.json)
{
"safeguardian.scanOnSave": true,
"safeguardian.scanOnStage": true,
"safeguardian.showNotifications": true,
"safeguardian.maxFileSizeKB": 5120
}
🔧 Auto-Fix Behavior
What Auto-Fix Does
When you run SafeGuardian: Run Auto-Fix:
| Issue Type |
Auto-Fix Action |
Hygiene (.env, .pem, etc.) |
✅ Adds to .gitignore and unstages |
| Secrets in code |
❌ Cannot auto-fix - manual removal needed |
| Content issues |
❌ Cannot auto-fix - manual removal needed |
Why Some Issues Need Manual Fix
.env file → The entire file shouldn't be committed → Auto-fix works ✓- API key inside
app.js → The file is needed, just the key is wrong → Manual fix required
SafeGuardian cannot modify your code - it only prevents committing sensitive files.
Manual Fix Steps
When you see "needs manual fix":
- Open the flagged file
- Find the secret/API key
- Replace with environment variable:
// ❌ Bad - hardcoded secret
const apiKey = "sk-proj-abc123...";
// ✅ Good - use environment variable
const apiKey = process.env.OPENAI_API_KEY;
- Add to your
.env file (not committed):
OPENAI_API_KEY=sk-proj-abc123...
- Re-stage the fixed file
📊 Risk Scoring
| Score |
Level |
Meaning |
| 0-19 |
LOW |
Minor issues, safe to push |
| 20-49 |
MEDIUM |
Warnings, review recommended |
| 50+ |
HIGH |
Secrets detected! Push blocked |
🔒 Privacy & Security
- ✅ 100% Local - All scanning happens on your machine
- ✅ No Network Calls - Nothing is sent to any server
- ✅ No Telemetry - No analytics, no tracking
- ✅ No Data Collection - Your code never leaves your computer
🐛 Troubleshooting
Extension not activating?
- Make sure you opened a folder with a
.git directory
- Check the Output panel:
View → Output → SafeGuardian
Not seeing issues?
- Files must be staged (
git add) for full scanning
- Single files are scanned on save
- Check if file type is binary (images, PDFs are skipped)
False positives?
- Some patterns may match non-secrets
- Use
.safeguardian-ignore to exclude files (coming soon)
Commands not working?
- Reload VS Code:
Ctrl+Shift+P → "Developer: Reload Window"
- Check Output panel for error messages
📝 CLI Version
SafeGuardian also comes as a CLI tool:
# Scan staged files
node cli.js
# Scan and auto-fix
node cli.js --fix
# Install as git hook
node install.js
📜 License
MIT License - Free to use, modify, and distribute.
🤝 Contributing
Found a bug or have a feature request? Open an issue on GitHub!
Made with ❤️ for developers who care about security
