Primus Security
Real-time .NET security analysis — no server, no Java, no infrastructure.
Powered by the Primus Security Suite, this extension brings 62 Roslyn SAST analyzers, cross-file taint analysis, and one-click code patches directly into VS Code.
Note: This extension is not yet on the VS Code Marketplace. Install from the .vsix file in GitHub Releases.
Requirements
- VS Code 1.109.0 or later —
code --version
- .NET SDK 9.0 or later —
dotnet --version
- primus-scan CLI on your PATH:
dotnet tool install -g PrimusSaaS.Security.Cli
primus-scan --version # 2.4.8
If PrimusSaaS.Security.Cli is not yet on NuGet, build from source:
git clone https://github.com/primussoft/Primus-SaaS-Framework.git
dotnet build tools/PrimusSecurityScanner/PrimusSecurityScanner.csproj -c Release
# Set primusSecurity.cliPath in VS Code settings to the full binary path
- A .NET project that builds — run
dotnet build before scanning. The scanner uses Roslyn compilation context; a project with unresolved dependencies produces 0 SAST findings silently.
Install
code --install-extension primus-security-2.4.8.vsix
Or: Cmd+Shift+P → Extensions: Install from VSIX.
Features
- Real-time findings panel — security issues grouped by severity in the Explorer sidebar
- Inline diagnostics — squiggles and
🔴 Critical / 🟠 High / 🟡 Medium labels on vulnerable lines
- One-click patch apply — applies LocalRemediationEngine before/after diffs with a single command
- Rule explain sidebar — what/why/howToFix, OWASP/CWE references, safe/unsafe code examples, patch confidence %
- Scan on save — automatically scans C# files when saved (configurable)
- Status bar — live
🔴 3C 12H count with colour-coded background
Usage
- Scan Workspace:
Cmd+Shift+P → Primus Security: Scan Workspace
- Scan Current File: Right-click in editor →
Primus Security: Scan Current File
- Apply Fix: Click the wrench icon on any finding in the panel
- Explain Rule:
Cmd+Shift+P → Primus Security: Explain Rule
Settings
| Setting |
Default |
Description |
primusSecurity.cliPath |
primus-scan |
Path to primus-scan executable |
primusSecurity.scanOnSave |
true |
Auto-scan C# files on save |
primusSecurity.scanOnOpen |
false |
Auto-scan C# files on open |
primusSecurity.scanTimeoutSeconds |
120 |
Max seconds before scan times out |
primusSecurity.qualityGate.maxCritical |
0 |
Max Critical findings |
primusSecurity.qualityGate.maxHigh |
0 |
Max High findings |
primusSecurity.showInlineDecorations |
true |
Show inline severity icons |
primusSecurity.suppressionsFile |
.primus-suppressions.json |
Path to suppressions file |
What it detects
62 Roslyn SAST analyzers covering OWASP Top 10 2021: SQL injection, XSS, SSRF, command injection, path traversal, insecure deserialization, JWT misconfiguration, CORS misconfiguration, insecure cookies, hardcoded secrets — with cross-file taint analysis tracking data flow across method call boundaries.
