Safeguard.sh IDE Extension
Where .sh Stands for Self-Healing
Safeguard.sh brings autonomous self-healing vulnerability remediation directly into your IDE. Powered by Griffin AI, our extension delivers real-time security scanning, intelligent remediation, and continuous compliance monitoring—enabling developers to ship secure code faster.
🚀 Why Safeguard.sh
True Self-Healing, Not Manual Alerts
Griffin AI autonomously finds, prioritizes, and fixes vulnerabilities across 100-level dependency depth—40+ levels deeper than any competitor. Unlike Snyk (alerts only), Veracode (manual remediation), or Checkmarx (legacy SAST), Safeguard delivers autonomous healing directly in your IDE.
80% Fewer False Positives
Advanced reachability analysis eliminates noise. Only see vulnerabilities that actually impact your code.
Enterprise-Grade Security
- FedRAMP HIGH, IL7, and SOC 2 Type II compliance-ready architecture
- Complete multi-tenant isolation with dedicated encryption
- Zero-trust security model with end-to-end encryption
✨ Key Features
🔍 Real-Time Vulnerability Detection
- Continuous Scanning: Automatic vulnerability detection on file save and project open
- Inline Warnings: Color-coded severity indicators (Critical, High, Medium, Low) with squiggly underlines
- 100-Level Dependency Depth: Uncover vulnerabilities buried deep in your dependency tree
- Multi-Language Support: npm, pip, Maven, Go Modules, Cargo, Bundler, and more
- One-Click Fixes: Apply AI-recommended patches with a single click from the lightbulb menu
- Remediation Strategies:
- Safe: Minor updates only (minimal risk)
- Balanced: Minor + patch updates (recommended)
- Aggressive: Latest versions (maximum security)
- Impact Analysis: Understand the business impact before applying changes
- Code Context Awareness: Smart fixes that understand your codebase structure
💬 Interactive AI Assistant
- Natural Language Queries: Ask security questions in plain English
- Code Analysis: Select code and get instant vulnerability assessments
- Best Practices: Receive security recommendations tailored to your stack
- Conversation History: Track all security discussions and decisions
📊 Comprehensive Security Dashboard
- Vulnerability Tree View: Hierarchical view of all security issues
- SBOM Generation: Software Bill of Materials with CycloneDX/SPDX export
- Compliance Checking: Automated validation against OWASP, CWE, NIST, CMMC, EO 14028
- Dependency Graph: Visualize your dependency relationships and attack surface
- Smart Caching: 1-hour cache TTL reduces redundant scans
- Batch Processing: Scans 10 packages in parallel for faster results
- Debounced Scanning: 2-second delay prevents scan floods during active development
- Background Operations: Non-blocking scans keep your IDE responsive
📦 Supported Package Managers
| Ecosystem |
Package Manager |
Manifest File |
| JavaScript/Node.js |
npm, Yarn, pnpm |
package.json, package-lock.json, yarn.lock |
| Python |
pip, Poetry, Pipenv |
requirements.txt, pyproject.toml, Pipfile |
| Java/JVM |
Maven, Gradle |
pom.xml, build.gradle, build.gradle.kts |
| Go |
Go Modules |
go.mod, go.sum |
| Rust |
Cargo |
Cargo.toml, Cargo.lock |
| Ruby |
Bundler |
Gemfile, Gemfile.lock |
🎯 Installation
From VS Code Marketplace
- Open VS Code
- Press
Ctrl+Shift+X (Windows/Linux) or Cmd+Shift+X (Mac) to open Extensions
- Search for "Safeguard.sh"
- Click Install
From OpenVSX (for Cursor IDE)
- Open Cursor
- Navigate to Extensions
- Search for "Safeguard.sh"
- Click Install
From Command Line
# VS Code
code --install-extension Safeguard-sh-Inc.SafeguardshIdeExtension
# Cursor (using OpenVSX)
cursor --install-extension Safeguard-sh-Inc.SafeguardshIdeExtension
⚙️ Configuration
✅ Zero Configuration Required!
Your Tenant ID is automatically fetched when you log in via browser authentication. Just install and log in—that's it!
First-Time Setup
Quick Start (Production):
- ✅ Press
Ctrl+Shift+P → Type "Safeguard: Login"
- ✅ Browser opens → Log in with your Safeguard account
- ✅ Approve the device → Return to VS Code
- ✅ Done! Tenant ID automatically populated
Custom Deployment Setup:
Only configure settings if you're using a private deployment with custom URLs.
- Press
Ctrl+, (Windows/Linux) or Cmd+, (Mac) to open Settings
- Search for "Safeguard"
- Update service URLs:
- Auth Service: Your custom auth URL
- Data Service: Your custom data URL
- GPT Service: Your custom GPT URL
- Settings save automatically
- Now login with
Ctrl+Shift+P → "Safeguard: Login"
Default URLs (Production):
{
"safeguard.authServiceUrl": "https://api.safeguard.sh/auth",
"safeguard.dataServiceUrl": "https://api.safeguard.sh/data",
"safeguard.goldApiUrl": "https://api.safeguard.sh/gpt"
}
Advanced Settings
| Setting |
Default |
Description |
safeguard.autoScan |
true |
Automatically scan projects on open |
safeguard.scanOnSave |
true |
Scan manifest files on save |
safeguard.remediationStrategy |
balanced |
Default fix strategy: safe, balanced, or aggressive |
safeguard.severityThreshold |
low |
Minimum severity to display: low, medium, high, critical |
safeguard.includeDevDependencies |
true |
Scan development dependencies |
safeguard.cacheDuration |
3600000 |
Cache duration in ms (1 hour) |
safeguard.batchSize |
10 |
Packages to scan in parallel |
safeguard.showInlineWarnings |
true |
Display inline vulnerability decorations |
safeguard.enableAIAssistant |
true |
Enable AI-powered features |
🔐 Authentication
Safeguard uses OAuth 2.0 Device Flow with browser-based activation for secure, seamless authentication.
Login Process
- Open Command Palette: Press
Ctrl+Shift+P (Windows/Linux) or Cmd+Shift+P (Mac)
- Type:
Safeguard: Login
- Press Enter: Extension initiates authentication
- Browser Opens Automatically: You'll be redirected to
https://app.safeguard.sh/activate
- Log In: Sign in with your Safeguard account (if not already logged in)
- Approve Device: Review the verification code and click "Authorize VS Code"
- Done! Return to VS Code—you're authenticated
What You'll See
In VS Code:
- Notification: "🔐 Opening browser for authentication. Verification code: ABCD-EFGH"
- Option to copy verification code to clipboard
In Browser (app.safeguard.sh):
- Verification code display
- Your account email
- "Authorize VS Code" button
- Security information about what access is being granted
Authentication Flow Details
VS Code Extension → Auth Service: Request device code
VS Code → Browser: Open app.safeguard.sh/activate
User → Browser: Log in to Safeguard account
User → Browser: Approve device with verification code
Auth Service → Extension: Send access token
Extension → Secure Storage: Save encrypted tokens
Sharing Authentication Links
The activation URL can be shared! If you need someone else to authenticate on your behalf:
- Copy the activation URL from the browser
- Share it securely with the authorized person
- They log in with their Safeguard account
- Your IDE receives authentication
Example URL:
https://app.safeguard.sh/activate?device_code=abc123&user_code=WXYZ&ide_type=vscode
Token Management
- Automatic Storage: Tokens are securely encrypted and stored in VS Code's secure storage
- Persistent Sessions: Stay logged in between VS Code sessions
- Auto-Refresh: Tokens automatically refresh when expired
- Manual Logout: Run
Safeguard: Logout to clear credentials
Troubleshooting Authentication
Browser doesn't open?
- Manually copy the activation URL from the notification
- Open it in your browser
- Complete the approval process
Authentication timeout?
- Device codes expire after 10 minutes
- Simply retry the login process
- Ensure you approve within the time window
Already logged in elsewhere?
- You can be logged in on multiple devices
- Each IDE instance has its own authentication
- No need to log out from other devices
🎮 Usage
Keyboard Shortcuts
| Command |
Windows/Linux |
Mac |
Description |
| Open AI Assistant |
Ctrl+Shift+S |
Cmd+Shift+S |
Launch interactive AI security assistant |
| Scan Project |
Ctrl+Shift+V |
Cmd+Shift+V |
Manually trigger full project scan |
| Ask AI Question |
Ctrl+Shift+A |
Cmd+Shift+A |
Quick security query with current context |
| Analyze Code |
Ctrl+Shift+C |
Cmd+Shift+C |
Analyze selected code for vulnerabilities |
Quick Fixes
- Hover over any highlighted vulnerability to see details
- Click the lightbulb icon (💡) or press
Ctrl+. (Windows/Linux) / Cmd+. (Mac)
- Select from AI-recommended remediation options:
- Update to safe version (recommended)
- Update to latest version
- View vulnerability details
- Ignore this vulnerability
- Fix all vulnerabilities in file
AI Assistant Workflow
- Press
Ctrl+Shift+S / Cmd+Shift+S to open the AI Assistant
- Ask Questions:
- "Why is this package vulnerable?"
- "What's the safest way to fix CVE-2024-12345?"
- "Should I upgrade React to v19?"
- Get Contextual Help:
- Select code → Right-click → Safeguard: Analyze Selected Code
- Receive instant security analysis and recommendations
- Insert Code:
- Click Insert at Cursor to apply suggested code directly
SBOM & Compliance
- Open Command Palette:
Ctrl+Shift+P / Cmd+Shift+P
- Type "Safeguard: Generate SBOM"
- Choose format: CycloneDX or SPDX
- Export report for compliance audits
Security Reports
- Navigate to View > Safeguard
- Click on any panel:
- Vulnerabilities: All detected security issues
- SBOM: Software Bill of Materials
- Compliance: Standards validation (OWASP, CWE, NIST)
- Recommendations: AI-powered security suggestions
- Export comprehensive reports:
Right-click > Export Report
🏢 Enterprise Features
Griffin AI Integration
- Autonomous Remediation: Self-healing fixes applied without human intervention
- Reachability Analysis: Eliminates 80% of false positives
- EPSS Prediction: Identifies threats before weaponization
- Business Impact Scoring: Prioritize fixes by actual risk to your organization
Compliance & Governance
- FedRAMP HIGH Ready: Designed for federal agency requirements
- IL7 Compliance: Impact Level 7 security controls
- SOC 2 Type II: Continuous compliance monitoring
- NIST SSDF, CMMC, EO 14028: Built-in framework validation
Enterprise Deployment
- Multi-Tenant Isolation: Dedicated encryption keys per tenant
- Air-Gapped Support: Offline operation for classified networks
- SSO Integration: OAuth 2.0, SAML, LDAP support
- Audit Logging: Complete activity trails for compliance
🌐 Cloud-Agnostic Architecture
Deploy Safeguard across 15 cloud providers:
- Major Clouds: AWS, Azure, GCP, Oracle Cloud, IBM Cloud, Alibaba Cloud
- Regional Clouds: DigitalOcean, Linode, Vultr, OVHcloud, Scaleway, Hetzner
- Private/Hybrid: On-premises, air-gapped, multi-cloud deployments
Unlike competitors locked into 1-3 clouds, Safeguard adapts to YOUR infrastructure.
| Metric |
Safeguard.sh |
Industry Average |
| Time to Remediation |
90% faster |
Baseline |
| False Positive Reduction |
80% |
30-40% |
| Dependency Depth |
100 levels |
60 levels (Snyk, Veracode) |
| Scan Speed |
Sub-second (cached) |
5-30 seconds |
| Remediation Success Rate |
95%+ |
60-70% |
🆚 Comparison with Competitors
| Feature |
Safeguard.sh |
Snyk |
Veracode |
Checkmarx |
Chainguard |
| Autonomous Healing |
✅ Yes |
❌ Alerts only |
❌ Manual |
❌ Manual |
❌ Base images only |
| Dependency Depth |
100 levels |
60 levels |
60 levels |
Limited |
N/A |
| Reachability Analysis |
✅ Yes |
Partial |
❌ No |
❌ No |
❌ No |
| Cloud Providers |
15+ |
3 |
2-3 |
2 |
1-2 |
| FedRAMP HIGH Ready |
✅ Yes |
❌ No |
❌ No |
❌ No |
❌ No |
| AI Assistant |
✅ Griffin AI |
❌ No |
❌ No |
❌ No |
❌ No |
| IDE Integration |
✅ Full |
Partial |
Limited |
Limited |
❌ No |
🔗 Resources
🏗️ Architecture
Safeguard.sh uses a microservices architecture with:
- Auth Service: OAuth 2.0 Device Flow for secure authentication
- Data Service: Vulnerability database with real-time updates from NVD, GitHub Advisory, OSV
- AI Service (Griffin): Self-healing remediation engine powered by advanced ML models
- MCP Server: Model Context Protocol for AI assistant integration
All services communicate over encrypted channels with mutual TLS authentication.
🛡️ Security & Privacy
- Zero Data Collection: Your code never leaves your machine (except for authentication)
- End-to-End Encryption: All API communication uses TLS 1.3
- No Telemetry by Default: Opt-in anonymous usage statistics only
- SOC 2 Type II Certified: Audited security controls
- Penetration Tested: Regular third-party security assessments
📊 What We Scan
Vulnerabilities
- CVEs: Common Vulnerabilities and Exposures from NVD
- GitHub Advisories: Security advisories from GitHub Security Lab
- OSV: Open Source Vulnerabilities database
- Private Advisories: Internal vulnerability intelligence
Security Issues
- Dependency Confusion: Detect typosquatting and package confusion attacks
- License Compliance: GPL, LGPL, MIT, Apache compatibility checks
- Malware Detection: Known malicious packages from security feeds
- Supply Chain Attacks: Compromised packages and backdoors
- Deprecated Packages: Unmaintained dependencies with security risks
🎓 For Developers
Why Choose Safeguard?
- Focus on Code, Not Security: Autonomous healing eliminates manual triage
- Ship Faster: 90% faster remediation = faster feature delivery
- Learn as You Build: AI assistant teaches secure coding patterns
- No Context Switching: Everything in your IDE—no separate dashboard
- Career Growth: Work with enterprise-grade security tools
🏢 For Teams & Enterprises
Organizational Benefits
- Reduce Security Debt: Automated fixes prevent vulnerability accumulation
- Lower TCO: One platform replaces multiple security tools
- Improve Compliance: Continuous monitoring simplifies audits
- Scale Security: Self-healing works at any team size
- Developer Satisfaction: Less security friction = happier engineers
Deployment Options
- SaaS: Fully managed cloud service
- Private Cloud: Dedicated tenant in your cloud account
- On-Premises: Air-gapped deployment for sensitive environments
- Hybrid: Combine cloud and on-premises components
📝 License
Copyright © 2024-2026 Safeguard.sh Inc. All rights reserved.
This software is proprietary. See LICENSE for details.
🙏 Acknowledgments
Built with:
