Veriva — Code Governance for VS Code
Real-time AI code pattern detection, security scanning, and trust scoring,
powered by the @veriva/engine Layer 1
rule set.
What it does
- Analyze on save — every TypeScript / JavaScript / Python file you save
is scanned with Veriva's L1 static rules (AI-pattern detection, basic
security checks, slopsquatting/dependency hygiene).
- Problems panel integration — findings appear as inline squiggles and
in the Problems panel with
[rule-id] Title: Description labels.
- Status bar trust score — shows an aggregate A–F grade for all open
files, colored by tier (green ≥80, yellow ≥60, red below).
- Workspace scan — one-shot analysis of up to 50 files via the command
palette (
Veriva: Analyze Workspace), excluding generated/build/test
artifacts by default.
- Browser sign-in — authenticate through Veriva's device authorization
flow and store the resulting token through VS Code's authentication provider.
Current CLI parity
The extension does not yet expose the full @veriva/cli feature set. In
particular, Veriva: Analyze Workspace is an editor-local file scan, not the
same operation as veriva scan.
Use the CLI for:
- current git diff analysis
.patch / .diff file analysis- remote PR analysis
- JSON or SARIF output
- CI-oriented
--fail-on behavior
- repository health checks
Layer scope
This extension runs Layer 1 only — local, deterministic, no network
calls, no cost. Deeper analysis tiers live on the server:
| Layer |
What it does |
Where it runs |
| L1 |
Static rules, AI-pattern detection |
This extension (local) |
| L2 |
Claude Haiku triage / cross-file reasoning |
Veriva API (Pro+) |
| L2.5 |
Baseline diffing, cross-PR dedup |
Veriva API (Ultra+) |
| L3 |
Claude Sonnet deep review + fix generation |
Veriva API (Pro+) |
L2–L3 results show up on the Veriva dashboard and on GitHub PRs via the
GitHub App — not inside VS Code yet. Login here is used for the VS Code auth
session and plan lookup.
Commands
| Command |
Description |
Veriva: Analyze Current File |
Re-run L1 on the active editor |
Veriva: Analyze Workspace |
Scan up to 50 supported files |
Veriva: Sign in |
Sign in with Veriva's browser-based device flow |
Veriva: Sign out |
Clear the VS Code authentication session |
Settings
| Key |
Default |
Description |
veriva.enable |
true |
Run analysis on save and active-editor change |
veriva.severity.minimum |
LOW |
Hide findings below this severity (INFO/LOW/MEDIUM/HIGH/CRITICAL) |
veriva.apiUrl |
https://api.veriva.dev |
API base URL for login / plan lookup (self-hosted override) |
veriva.workspace.includeTests |
false |
Include test and fixture files in workspace analysis |
Install (dev)
From the monorepo root:
pnpm --filter veriva build
cd extensions/vscode
pnpm package # produces veriva-<version>.vsix
code --install-extension veriva-0.1.0.vsix
Privacy
File contents are never sent to the Veriva API by this extension. The API
token is stored behind VS Code's authentication provider API. Plan info is
fetched on activation only.
