DevGuard IDE Plugin
Kubernetes YAML security scanner for VS Code, Cursor, and Amazon Kiro. Uses nctl for scanning, remediation, and AI-powered fix/explain.
Overview
- Scan on save – Violations appear as squiggles; click for fixes
- Policy contexts – Local baseline (offline) or Central (Nirmata Control Hub)
- Fix – Safe defaults (
nctl remediate) or AI (nctl ai); fix single violation or all
- Explain – AI explanation of violations
- Self-check – Validate nctl, auth, policy mode, and cache
- Support bundle – Export sanitized debug bundle; Admin Help – in-IDE docs for platform teams
Architecture and repository layout are documented in docs/.
Prerequisites
Install
From VSIX
code --install-extension build/devguard-2.3.0.vsix
From source (development)
npm install
npm run compile
# F5 in VS Code → Extension Development Host
Build VSIX
./scripts/package-vsix.sh
Output: build/devguard-2.3.0.vsix (version from package.json). See scripts/package-vsix.md if packaging fails in Cursor.
Usage
- Open a Kubernetes YAML file
- Save – DevGuard scans and shows violations
- Click a violation → Fix with Safe Defaults, Fix with AI, or Explain
- Optional: DevGuard: Run Self Check to verify setup; DevGuard: Export Support Bundle for debugging
Configuration
| Setting |
Default |
Description |
devguard.nctlPath |
nctl |
Path to nctl binary |
devguard.autoScanOnSave |
true |
Scan on save |
devguard.scanDebounceMs |
600 |
Debounce (ms) |
devguard.k8sHeuristicsEnabled |
true |
Only scan YAML that looks like K8s (apiVersion/kind) |
devguard.policySource |
local |
local or central |
devguard.nchUrl |
`` |
Nirmata Control Hub URL (for central) |
devguard.defaultPolicyContext |
Local Baseline |
Default context |
devguard.allowedPolicyContexts |
[] |
Allowed contexts (regex supported) |
devguard.policyCacheTtlMinutes |
60 |
TTL for cached central contexts |
devguard.allowLocalFallback |
true |
Allow local policies when central is set but not logged in |
devguard.localAuditLogEnabled |
false |
JSONL audit log (scan/fix/explain) in globalStorageUri/audit/ |
Commands: DevGuard: Scan Current File · DevGuard: Select Policy Context · DevGuard: Login to NCH · DevGuard: Update Token · DevGuard: Logout · DevGuard: Fix with Safe Defaults · DevGuard: Fix with AI · DevGuard: Fix All with Safe Defaults · DevGuard: Fix All with AI · DevGuard: Explain Violation · DevGuard: Run Self Check · DevGuard: Export Support Bundle · DevGuard: Show Admin Help
Policy modes: Local = offline, no login. Central = NCH, requires login; supports RBAC.
Testing
- Manual: open/save a K8s YAML with a violation (e.g.
privileged: true); check squiggles and fix actions.
- Test manifests:
nctl scan kubernetes --resources tests/manual/test-manifest-with-violations.yaml -o sarif
- Extension tests:
npm test
Troubleshooting
| Issue |
Action |
| nctl not found |
nctl version; set devguard.nctlPath if needed |
| No violations |
Output → DevGuard; ensure file has apiVersion:/kind:; run DevGuard: Scan Current File |
| Auth problems |
DevGuard: Logout then DevGuard: Login to NCH; check NCH URL and token |
Enterprise rollout
Deploying at scale: docs/ – managed settings template, proxy/cert guidance, recommended rollout steps, support bundle guide, IDE notes (VS Code, Cursor, Kiro).
Development
npm install
npm run compile # build
npm run package # produce VSIX in build/
npm test # unit + integration tests
Module layout and architecture: docs/architecture.md.
Compatibility
| IDE |
Status |
| VS Code |
✅ Tested |
| Cursor |
✅ Tested |
| Amazon Kiro |
✅ Compatible |
License & support
