Qwiet preZero for Visual Studio Code (Beta)

preZero for VS Code is a free extension that lets you shift even further left by allowing you to identify and fix security vulnerabilities as you write code. Fix vulnerabilities before they ever exist as a backlog ticket.

This extension currently supports applications written in JavaScript, TypeScript, Python, C/C++, C#, Go, Java, PHP, or Ruby. It runs preZero's Next Gen SAST and local pre-commit secrets detection.

Note: This extension fully supports CLI scanning, which initiates our preZero platform: Next Gen SAST, Intelligent SCA, and secrets detection.

Dependencies

You must have the following dependencies installed before using Qwiet preZero for VS Code:

The Qwiet CLI Ensure that you've added the path to sl to your PATH
Node.js (for JavaScript/TypeScript projects) Ensure that you've added the path to node to your PATH
Python Ensure that you've added the path to python to your PATH

Getting started

To add the extension:

Install directly from the VS Code marketplace.

Marketplace

Open up the Extensions tab and search for Qwiet. Click Install.

Extensions tab

Authorize your extension with Qwiet AI

If you already have a local config file for use with Qwiet (i.e., you've used the Qwiet CLI before), your extension will be authorized automatically, allowing you to start using the extension immediately.
If you do not have a local config file, or it is invalid, you will see Connect to Qwiet after you click on the Qwiet icon in the left navigation bar:

ShiftLeft CORE extension icon

Because the extension calls Qwiet's API, you'll be asked to authenticate via Qwiet's web app. Log in or create an account to proceed.
Once you've successfully logged in and authenticated, you'll see a confirmation message.
Reload VS Code.

Configuration

You can configure your extension by going to Preferences > Settings > Qwiet.

Viewing scan results

To see the results of your scan, open VS Code's Problems panel or the Qwiet extension tab for details.

Qwiet preZero secrets vs. local pre-commit secrets detection

The preZero platform and the VS Code extension operate differently, so you may see differing results between the two tools. This is because preZero's secrets feature, customizable in your Qwiet config file, scans your entire application. However, the VS Code extension can only be used locally and operates as a pre-commit secrets detection tool. The goal is for you to do local scans and prevent you from committing new secrets, keeping them from reaching your repositories.