XploitScan for VS Code
Security scanner for AI-generated code, right inside your editor. 210 rules tuned for what Cursor, Lovable, Bolt, Replit, and Claude Code actually produce — unprotected webhooks, hardcoded API keys, SQL injection via template literals, missing auth middleware, CORS misconfigurations, and more.
Runs locally. No account. No network. Nothing uploaded.
Features
- Scan on save — every time you save a file, XploitScan checks it for vulnerabilities and surfaces findings in the Problems panel
- Status bar indicator — at-a-glance count of issues in the current file, color-coded by severity
- Rule documentation — each finding links to the rule's full explanation at xploitscan.com/rules
- Configurable noise floor — filter out low-severity findings if you only want to see critical and high issues
- Works offline — the scanner is bundled with the extension, no API calls
Getting started
- Install the extension
- Open any JavaScript, TypeScript, or Python file
- Save — XploitScan runs automatically
- Check the Problems panel (Cmd+Shift+M / Ctrl+Shift+M) for findings
You can also run scans on demand:
XploitScan: Scan Current File — rescan whatever's in the editorXploitScan: Scan Workspace — scan every open document (for full-repo scans, use the CLI: npx xploitscan scan .)XploitScan: Clear Diagnostics — dismiss all findings
All commands are in the command palette (Cmd+Shift+P / Ctrl+Shift+P).
Settings
| Setting |
Default |
Purpose |
xploitscan.scanOnSave |
true |
Auto-scan when a file is saved |
xploitscan.scanOnOpen |
false |
Auto-scan when a file is opened |
xploitscan.severityThreshold |
low |
Hide findings below this severity |
xploitscan.showStatusBar |
true |
Show the XploitScan indicator in the status bar |
What gets flagged
A few examples of what XploitScan catches that most SAST tools miss:
- Stripe / Clerk / Supabase webhook handlers without signature verification
- Hardcoded Anthropic / GitHub / AWS / Supabase service-role keys
- SQL injection via template literals (
db.query(`SELECT ... ${x}`)) — the default pattern AI tools produce
dangerouslySetInnerHTML fed URL query params or localStoragechild_process.exec / spawn({ shell: true }) with user input- Next.js API routes without auth middleware or body validation
- CORS wildcards with credentials
- Open redirects via
res.redirect(req.query.x)
All 210 rules are documented at xploitscan.com/rules with OWASP and CWE mappings.
Privacy
Everything runs locally inside VS Code's extension host. Source code never leaves your machine. No telemetry. No account required. Full privacy policy.
- CLI —
npx xploitscan scan . for full-repo scans from the terminal
- GitHub Action — marketplace listing for CI
- MCP server —
xploitscan-mcp on npm for Claude Desktop / Cursor agents
- Web scanner — xploitscan.com/scan for upload-and-scan flow
Same 210-rule engine across all surfaces.
License
MIT.
