VulnMatter VS Code Extension
Visual Studio Code extension integrating CVE vulnerability analysis and automatic configuration of MCP (Model Context Protocol) servers for VulnMatter and Filesystem.
NOTE: CVE analysis, report generation and products UI sections are currently hidden (temporarily disabled) while focusing on configuration features. They can be re-enabled later without code loss.
🚀 Key Features
- Management and persistence of VulnMatter
X-API-Key
- Batch CVE scoring (temporarily hidden)
- Aggregated report generation (temporarily hidden)
- Local history (products) (temporarily hidden)
- Automatic configuration of:
- VulnMatter MCP server (
supergateway over SSE)
- Filesystem MCP server (
@modelcontextprotocol/server-filesystem)
- Synchronization for both VS Code MCP and Claude Desktop
- Diagnostic button (🔧) to view current configuration status
1. Development Installation
npm install
npm run compile
Then press F5 in VS Code to open the "Extension Development Host" window.
2. Requirements
| Resource |
Minimum Version |
Notes |
| Node.js |
18.x |
Recommend 18 LTS or later |
| VS Code |
1.85+ |
Needed for modern webview |
| (Optional) Claude Desktop |
Latest |
For external MCP integration |
3. VulnMatter API Configuration
- Open the extension side view.
- Go to the "API Configuration" section.
- Enter your
X-API-Key and optionally a different API URL if you use a custom environment.
- Click "Save Configuration".
3.1 How to Obtain a VulnMatter API Key
If you do not yet have an API Key (official site: https://vulnmatter.com/):
- Navigate to the VulnMatter portal (internal/company URL or https://app.vulnmatter.com as applicable).
- Sign in (create an account if needed) with your corporate SSO or email/password (depending on deployment).
- Open your user/profile menu and locate the section named "API Keys" or "Developer / API Access".
- Click "Create New Key" (or "Generate Token").
- Provide an optional label (e.g. "VS Code Extension").
- Copy the generated key immediately – many portals only show it once.
- Paste it into the extension UI field
X-API-Key and press "Save Configuration".
- (Optional) If you are using a self‑hosted VulnMatter instance set the custom base URL before saving.
IMPORTANT: The value must be placed specifically in the form field labeled X-API-Key inside the extension panel (it is a password-style input). Do not place it in the API URL field.
Security / storage notes:
- The key is written in plain text to
~/.vulnmatter/config.json (no encryption). Protect filesystem access.
- You can revoke the key at any time in the portal; then generate a new one and update the extension.
- Avoid committing the key to source control. The extension never auto-uploads it.
- If multiple keys are supported later you can rotate without downtime.
For assistance you can email: support@vulnmatter.com
Troubleshooting key issues:
- 401 / unauthorized responses → key revoked, expired, or pasted with whitespace.
- Empty results or timeouts → verify base URL or network proxy settings.
- After changing the key, use the UI Save again to force regeneration of external MCP configs.
Generated configuration file:
~/.vulnmatter/config.json
Example:
{
"apiKey": "TU_API_KEY",
"apiUrl": "https://api.vulnmatter.com",
"timestamp": "2025-09-20T12:34:56.123Z",
"paths": {
"vulnmatterConfig": "C:/Users/usuario/.vulnmatter/config.json",
"claudeDesktopConfig": "C:/Users/usuario/AppData/Roaming/Claude/claude_desktop_config.json",
"vsCodeMcpConfig": "C:/Users/usuario/AppData/Roaming/Code/User/mcp.json",
"effectiveRoot": "C:/ruta/proyecto",
"serverNodeName": "filesystem_miproyecto"
}
}
4. CVE Analysis (Temporarily Hidden)
When re-enabled:
- Enter CVEs one per line, format:
CVE-YYYY-NNNN.
- Click "Analyze CVEs".
- Scores appear (simulated values are generated if the API is unreachable).
Color legend:
- High (>=7.0): Red
- Medium (4.0–6.9): Orange
- Low (<4.0): Green
5. Report Generation (Temporarily Hidden)
When re-enabled:
- Make sure you have entered CVEs.
- (Optional) Add additional query parameters:
format=pdf&detailed=true.
- Click "Generate Report".
- A record is stored in
~/.vulnmatter/products.json.
6. MCP Integration
The extension configures MCP nodes for both VS Code and Claude Desktop.
6.1 Configuration Paths
| OS |
VS Code MCP |
Claude Desktop |
| Windows |
%APPDATA%/Code/User/mcp.json |
%APPDATA%/Claude/claude_desktop_config.json |
| macOS |
~/Library/Application Support/Code/User/mcp.json |
~/Library/Application Support/Claude/claude_desktop_config.json |
| Linux |
~/.config/Code/User/mcp.json |
~/.config/Claude/claude_desktop_config.json |
6.2 VulnMatter MCP Server
Generated node:
{
"servers": {
"VulnMatter": {
"type": "stdio",
"command": "npx",
"args": ["-y", "supergateway", "--sse", "https://mcp.singularity-matter.com/sse"],
"env": {
"NODE_TLS_REJECT_UNAUTHORIZED": "0",
"X-API-Key": "TU_API_KEY"
}
}
}
}
6.3 Filesystem MCP Server
Dynamic name: filesystem_<project_basename>
{
"servers": {
"filesystem_miproyecto": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem"],
"env": { "ROOT": "C:/ruta/proyecto" }
}
}
}
6.4 Activation from the UI
Available checkboxes:
- MCP VS Code → creates/updates
VulnMatter node in mcp.json.
- MCP Claude → creates/updates node in
claude_desktop_config.json.
- Filesystem MCP → creates local filesystem server.
The API Key is automatically injected into env.X-API-Key each time you reconfigure.
Shows a modal summary with:
- Status of each server
- Presence of API Key
- Active file paths
7. Automatic Migrations
If a legacy Assents node existed, it is renamed to VulnMatter in all configs (internal + Claude + VS Code MCP). Existing customizations are preserved.
8. Security
| Aspect |
Detail |
| API Key storage |
Plain text in ~/.vulnmatter/config.json |
| UI exposure |
Never shown fully after saving |
| In transit |
Sent in X-API-Key header over HTTPS |
| Best practices |
Protect home folder via OS encryption (BitLocker, FileVault, LUKS) |
To improve security you could:
- Integrate with a Secret Manager (Azure Key Vault, AWS Secrets Manager)
- Encrypt the local file (add AES layer + user passphrase)
9. Troubleshooting
| Issue |
Possible Cause |
Solution |
| Empty scores |
Invalid API Key |
Regenerate or verify the key |
| MCP node not visible |
Corrupted mcp.json |
Delete file and reconfigure from the extension |
| Claude doesn’t detect server |
Path/root format mismatch |
Restart Claude after configuring |
| Changed API Key not reflected |
MCP not reconfigured |
Check the corresponding checkbox again |
| Permission error |
Protected directory |
Run VS Code with proper permissions |
| Report very slow |
Real API call latency |
Check connectivity / rely on temporary fallback |
View current configuration
Click the 🔧 button (MCP status) or inspect:
~/.vulnmatter/config.json
%APPDATA%/Code/User/mcp.json
%APPDATA%/Claude/claude_desktop_config.json
Full reset
# Close VS Code and Claude Desktop first
rm ~/.vulnmatter/config.json
rm %APPDATA%/Code/User/mcp.json
rm %APPDATA%/Claude/claude_desktop_config.json
(Adjust paths per OS). Then reopen and reconfigure.
10. Development Scripts
npm run compile # Compile
npm run watch # Watch / incremental rebuild
npm run package # Webpack production build
Package:
npm install -g @vscode/vsce
vsce package
11. Extend
| Goal |
How |
| New VulnMatter endpoint |
Clone pattern from getCVEScores() / getCVEReport() |
| Add another MCP server |
Create method similar to createOrUpdateVulnMatterServer() |
| Additional UI |
Add sections to vulnmatter.html and handle messages in onDidReceiveMessage |
| Support multiple API Keys |
Change apiKey → array and add selection UI |
12. Changelog
| Version |
Changes |
| 1.1.0 |
VS Code + Claude MCP, diagnostic button, Assents→VulnMatter migration, automatic X-API-Key update |
| 1.0.0 |
CVE analysis, reports, API Key save |
13. License
(Define here: MIT / Apache-2.0 / Proprietary)
14. Support
- Internal contact / Slack channel
- Repository issues (if applicable)
Need screenshots or want the hidden features back? Open an issue or request it.
npm install --save-dev @vscode/vsce
npx vsce package
npx vsce publish
