Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>Shomra — AI SecurityNew to Visual Studio Code? Get it now.
Shomra — AI Security

Shomra — AI Security

Shomra

|
2 installs
| (0) | Free
Gate and fix AI artifacts (MCP servers, Skills, rules, hooks) and flag known-vulnerable AI models right in your editor. Works in VS Code and Cursor.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Shomra — AI Security (VS Code & Cursor)

Gate and fix AI artifacts — MCP servers, Skills, slash commands, hooks, and rules files (CLAUDE.md, .cursorrules, …) — without leaving your editor. The extension is a thin front-end over the shomra CLI (Dragox.Backend/agent): one engine, two faces.

What it does

  • Inline diagnostics. On save (and on open) the artifact you're editing is gated; findings show up as squiggles on the exact offending line with the rule and the fix. Runs local-first, so you get a verdict with no backend; enroll (shomra init) to layer your org policy on top.
  • One-click fix. A Shomra: Fix this file (AI) quick-fix (lightbulb) on any flagged artifact generates a minimal fix and applies it in place — clean undo, nothing committed or pushed.
  • Explain a finding. Shomra: Explain findings (AI) distils each finding into why-it-matters + a one-line exploit + an honest false-positive read (Output → Shomra) — for when you think the gate is wrong.
  • Known-vulnerable model detection. As you save Python, notebooks, or JS/TS, the extension scans for AI models you load (from_pretrained("gpt2"), hf_hub_download, SentenceTransformer, …) and looks each up in the Shomra Model Index. Models with known vulnerabilities get a squiggle on the load line — with the verdict, risk and CWEs — and a View model in the Model Index quick-fix that opens its security page. Both the bare (gpt2) and canonical (openai-community/gpt2) ids resolve. Toggle with shomra.checkModels.
  • Status bar. Shows ⛨ Shomra / N blocked for the workspace; click to re-scan everything.
  • Commands (Ctrl/Cmd-Shift-P → "Shomra"): Check Workspace, Check This File, Check AI Models in This File, Fix This File, Install Runtime Firewall.

Requirements

None — the extension bundles the shomra CLI and runs it with VS Code's own Node runtime. Install it and it works; there's nothing to set up.

If you do have a global shomra on your PATH (e.g. npm i -g @shomra/agent, enrolled with your org key), the extension prefers it automatically so enrolled and org-policy features light up. To pin a specific build instead, point Settings → shomra.executable at a script:

node C:/Users/you/…/Dragox/Dragox.Backend/agent/shomra.mjs

(A value ending in .mjs/.js is run with Node automatically.) Fix This File additionally needs enrollment (shomra init --key shm_live_…), because the AI fix is generated on the platform with your org key — no provider key ever sits on the dev machine.

Install

From a .vsix (works in both VS Code and Cursor)

cd Dragox.Extension
npm install
npm run compile
npx @vscode/vsce package        # → shomra-0.1.0.vsix
  • VS Code: Extensions view → ⋯ → Install from VSIX…, or code --install-extension shomra-0.1.0.vsix.
  • Cursor: Extensions view → ⋯ → Install from VSIX…, or cursor --install-extension shomra-0.1.0.vsix.

Develop it

Open this folder in VS Code and press F5 to launch an Extension Development Host with the extension loaded.

Settings

Setting Default Purpose
shomra.executable shomra CLI command or absolute path (.mjs/.js → run with Node).
shomra.checkOnSave true Gate an artifact when you save it.
shomra.checkOnOpen true Gate an artifact when you open it.
shomra.checkWorkspaceOnStartup false Sweep the whole workspace once on window open.

How it maps to the CLI

In the editor Under the hood
Save an artifact shomra gate <file> --json → diagnostics (on finding.line)
Check Workspace / status bar shomra check <folder> --json
Fix this file (lightbulb) shomra fix <file> --json → applied as an edit
Explain findings (lightbulb) shomra why <file> --json → Output → Shomra
Install Runtime Firewall shomra install-hook (in a terminal)

Because the CLI does the analysis, the extension stays tiny and always agrees with what your CI and pre-commit gate see.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft