Tigergate for IDE
Inline security findings and AI-powered fixes for your code, powered by TigerGate's SAST + secrets + SCA + IaC rule sets. Connects to your TigerGate workspace via API key.
- 🔒 Automatic scans on every save, with diagnostics inline in your editor
- 🤖 AI fix suggestions on every finding — your admin picks the provider (Anthropic, OpenAI, Azure OpenAI, Google Gemini, or GitHub Copilot); the extension calls it directly from your machine
- 📚 Org-wide custom rules — the SAST/secrets/SCA/IaC rule sets your security team configures in the TigerGate dashboard sync to your IDE
- 🤝 Team-wide finding suppression — mute a false positive once, it stays muted for everyone
- 🔐 Local-first analysis — code never leaves your machine for normal scanning; only AI fix requests round-trip through TigerGate
- 🪪 API-key authentication — paste your IDE key once, your device is registered, no SSO popups
Quickstart
- Install Tigergate for IDE from the Marketplace.
- Open the TigerGate dashboard → Code Security → IDE Keys and create a key for this device.
- In VS Code press
Ctrl/⌘+Shift+P and run TigerGate: Sign in. Paste the key (starts with tgide_).
- Open a project. Your org's rules sync automatically; diagnostics appear within a few seconds of saving a file.
- To get a suggested fix on any finding, click the 💡 lightbulb and pick TigerGate: Suggest fix.
Commands
All commands are available via the Command Palette (Ctrl/⌘+Shift+P):
| Command |
What it does |
TigerGate: Sign in |
Paste your IDE API key and register this device |
TigerGate: Sign out |
Clear local credentials |
TigerGate: Scan changed files in workspace |
Scan files modified since the last commit |
TigerGate: Scan all files in workspace |
Full workspace scan |
TigerGate: Update rules |
Force a re-sync of your org's rule set |
TigerGate: Restart Language Server |
Recycle the local scan engine |
TigerGate: Suggest fix (lightbulb) |
AI-generated fix for a finding (requires admin to enable TigerGate AI for your org) |
Settings
Open Ctrl/⌘+, and search for TigerGate. All settings are under the tigergate.* namespace:
| Setting |
Default |
Purpose |
tigergate.backendUrl |
https://api.tigergate.dev |
TigerGate backend base URL. Override for private-cloud, on-prem, or local development (e.g. http://localhost:3000). |
tigergate.scan.onlyGitDirty |
true |
Scan only files/lines changed since the last commit |
tigergate.scan.jobs |
2 |
Parallel scan jobs |
tigergate.scan.timeout |
30 |
Per-file timeout in seconds |
tigergate.scan.maxMemory |
0 (unlimited) |
Memory cap in MB |
A handful of advanced settings (tigergate.path, tigergate.useExperimentalLS, tigergate.scan.pro_intrafile, tigergate.scan.secrets) are reserved for dev/debugging — leave defaults unless TigerGate support asks.
Language support
30+ languages including Apex, Bash, C, C++, C#, Clojure, Dart, Dockerfile, Elixir, Go, HTML, Java, JavaScript, JSX, JSON, Julia, Jsonnet, Kotlin, Lisp, Lua, OCaml, PHP, Python, R, Ruby, Rust, Scala, Scheme, Solidity, Swift, Terraform, TypeScript, TSX, YAML, XML.
Privacy
- Source code stays local. The scan engine runs on your machine; rule YAMLs are downloaded once on workspace open and cached locally.
- AI fixes (when you click Suggest fix) round-trip through TigerGate's backend, which calls the LLM provider on your behalf. Your org admin controls whether AI fix is enabled.
- Device tracking is per-install: an anonymous UUID + machine id + OS + IDE version, used for seat-based billing rollups. The plaintext hostname is never sent — only a truncated SHA-256 hash.
- No telemetry. The extension sends no usage events, counters, or analytics. There is no
tigergate.metrics setting and no telemetry endpoint on the backend — TigerGate does not collect IDE-side data.
See TigerGate's privacy policy for the full data-handling story.
Support
