TrustLayer VS Code Extension
Scan AI-generated code for security vulnerabilities, logic flaws, and intent misalignment directly in VS Code.
Features
- Ctrl+Shift+T scan for selected code
- Full-file scan command
- Multi-Git Support: Integrated with GitHub, GitLab, Bitbucket, and Azure DevOps
- Documentation Engine: Generate JSDoc/Docstrings for whole repositories with one click
- Trust Score status bar item (
TL: 84) with green, amber, and red states
- VS Code SecretStorage for API keys
- WebView scan result panel with summary, secrets, security issues, logic issues, biggest risk, and copyable fixes
- Red underline decorations for critical and high findings
- Pull request review from local git diffs
.trustlayer.yml and .trustlayer.yaml loading from the workspace- PR summary panel with inline comments, gate context, committable suggestions, and chat
- Bulk apply for PR suggestions that include a concrete replacement
Setup
- Run
TrustLayer: Set API Key.
- Open or select generated code.
- Run
TrustLayer: Scan Selected Code or TrustLayer: Scan Entire File.
- Review the Trust Score, findings, and fix suggestions.
Configuration
{
"trustlayer.apiBaseUrl": "http://localhost:4000",
"trustlayer.prProvider": "github",
"trustlayer.repoFullName": "owner/repo",
"trustlayer.prNumber": 0,
"trustlayer.prBaseRef": "origin/main"
}
| Setting |
Default |
Description |
trustlayer.apiBaseUrl |
http://localhost:4000 |
TrustLayer API endpoint. |
trustlayer.prProvider |
github |
github, gitlab, bitbucket, or azuredevops. |
trustlayer.repoFullName |
empty |
Repository name. If empty, inferred from git origin. |
trustlayer.prNumber |
0 |
PR number. If 0, inferred from the branch name. |
trustlayer.prBaseRef |
origin/main |
Base ref used to collect changed files. |
Commands
| Command |
Description |
TrustLayer: Scan Selected Code |
Scan selected code with optional prompt and AI source. |
TrustLayer: Scan Entire File |
Scan the active file. |
TrustLayer: Set API Key |
Store or update the API key in SecretStorage. |
TrustLayer: Open Dashboard |
Open the dashboard, or reopen the last result from the status bar. |
TrustLayer: Scan Current PR |
Collect changed files and run a PR review. |
TrustLayer: Scan PR Files |
Alias for current PR scan. |
TrustLayer: View PR Summary |
Reopen the latest PR review panel. |
TrustLayer: Ask About Last PR Review |
Ask a question against the latest PR review. |
TrustLayer: Apply All PR Suggestions |
Apply PR suggestions with concrete replacements. |
PR Review Flow
The extension gathers changed files using git, sends file content and patches to /api/pr/review, applies local .trustlayer.yml policy, and renders:
- average Trust Score
- status and risk level
- issue counts and duplicate suppression count
- key findings and merge blockers
- inline comments
- committable suggestions
- PR chat answers from
/api/pr/chat
Development
npm run build
npm test
npm run typecheck
npm run lint
npx @vscode/vsce package --no-dependencies
Privacy
API keys are stored in VS Code SecretStorage. Code is sent only to the configured TrustLayer API endpoint.
License
See LICENSE.txt.
| |
