Harness SAST and SCA for Visual Studio Code

Find and fix security vulnerabilities as you write code. The extension runs security analysis in your editor and shows results in the Problems panel.

Supported languages: JavaScript, TypeScript, Python, C/C++, C#, Go, Java, PHP, Ruby.

Features: Next Gen SAST, dependency vulnerability scanning (SCA), and local secrets detection.

Requirements

• Harness SAST and SCA CLI — ensure sl is on your PATH
• JavaScript/TypeScript: Node.js on your PATH
• Python: Python on your PATH

Install

1. Open the Extensions view and search for Harness SAST and SCA.
2. Click Install.

Sign in

• If you already use the CLI and have a valid config, the extension will use it and you can start right away.
• Otherwise, click the Harness SAST and SCA icon in the left sidebar and choose Connect to Harness SAST and SCA. Sign in or create an account in the browser, then reload VS Code.

Settings

Preferences → Settings → Harness SAST and SCA.

Viewing results

Open the Problems panel or the Harness SAST and SCA tab in the sidebar for scan results and details.

Dependency scanning (SCA)

The extension scans dependency manifest files for known vulnerabilities when you open a workspace or edit a manifest (e.g. package.json, requirements.txt, pom.xml, go.mod, Cargo.toml, and other supported manifests). Results appear in the Problems panel with CVE ID, severity, and affected package. Critical/High show as red squiggles, Medium as yellow, Low as blue info icons.

Secrets detection

The extension runs local, pre-commit-style secrets detection to help prevent committing secrets. Results may differ from full application scans in the Harness SAST and SCA platform, which can be configured separately.