Overview Version History Q & A Rating & Review
SecureRefactor
Scan → Review → Fix — all from your VS Code sidebar.
SecureRefactor scans your workspace for security vulnerabilities, vulnerable dependencies, and code quality issues, then shows everything in a unified dashboard with AI-assisted fix suggestions presented as reviewable diffs.
Features
🛡️ Security Scanning — Semgrep-powered SAST for SQLi, XSS, hardcoded secrets, insecure crypto, path traversal, SSRF, and more
📦 Dependency Scanning — OSV-Scanner / npm audit / pip-audit for known vulnerable packages
🔍 Code Quality — ESLint-based code smell detection (respects your project's config)
📊 Unified Dashboard — Project score, severity breakdown, category filters, all in one sidebar
🔧 Fix Workflow — AI-generated fixes shown as reviewable diffs before any file is modified
📄 Report Export — HTML, PDF, JSON, and SARIF 2.1.0 formats
Prerequisites
Tool
Required For
Install
Semgrep
SAST / security scanning
pip install semgrep or brew install semgrep
OSV-Scanner
Dependency scanning
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
ESLint
Code quality (optional)
Uses your project's ESLint if present
The extension detects missing tools and guides you through installation.
Getting Started
Install the SecureRefactor extension
Click the 🛡️ shield icon in the Activity Bar
Click Scan in the dashboard
Review findings in the tree view below
Right-click a finding → Fix This Issue to review a diff
Accept or reject the proposed fix
Configuration
Setting
Default
Description
secureRefactor.scan.excludeGlobs
["node_modules", "dist", "build", ".git"]
Paths to exclude from scanning
secureRefactor.scan.engines
All enabled
Enable/disable individual scan engines
secureRefactor.score.weights
{critical: 8, high: 4, medium: 1.5, low: 0.5}
Severity penalty weights for score
secureRefactor.ai.enabled
false
Enable AI-assisted fix suggestions
secureRefactor.ai.provider
"none"
AI provider ("anthropic" or "none")
secureRefactor.ai.contextLines
15
Lines of context sent to AI for fixes
secureRefactor.report.defaultFormat
"html"
Default report export format
secureRefactor.fixAll.batchReviewThreshold
5
Threshold for batch-review mode
Privacy & Security
No silent writes. Every fix is shown as a diff that you must explicitly accept.
AI is opt-in. Code is never sent to any external API unless you enable it and provide an API key.
Minimal context. Only the specific finding's snippet (not your whole repo) is sent to the AI provider.
Secrets are never sent. The extension redacts detected secrets from AI requests.
API keys stored securely. Uses VS Code's SecretStorage — never in settings.json.
Development
# Install dependencies
npm install
# Build
npm run build
# Watch mode
npm run watch
# Run tests
npm test
# Package
npm run package
License
MIT