Skip to content
| Marketplace
Sign in
Visual Studio Code>Programming Languages>Arcanum SentinelNew to Visual Studio Code? Get it now.
Arcanum Sentinel

Arcanum Sentinel

Arcanum

|
2 installs
| (0) | Free
Offline, real-time security diagnostics for JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, and Rust.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Sentinel

Sentinel 2.1.0 is a fully offline, multi-language VS Code security extension. It detects likely high-impact vulnerabilities while code is being written and automatically applies deterministic fixes where a reliable local rewrite is available.

Your source code never leaves the VS Code extension host. Sentinel has no API client, telemetry, remote model, account, or network feature.

Supported languages

Ecosystem Languages and file types
JavaScript JavaScript, JSX, TypeScript, TSX (.js, .jsx, .mjs, .cjs, .ts, .tsx, .mts, .cts)
Python Python and type stubs (.py, .pyi)
JVM Java (.java)
.NET C# (.cs)
Cloud/backend Go (.go)
Web/backend PHP (.php) and Ruby (.rb)
Systems/backend Rust (.rs)

JavaScript and TypeScript use the TypeScript compiler AST. The other languages use bundled Tree-sitter grammars through a cross-platform WebAssembly runtime. Both engines perform local intraprocedural taint propagation rather than matching isolated keywords.

What it detects

Rule Detection Severity
SENTINEL-SQLI Request data reaching SQL query text Critical
SENTINEL-XSS Request/browser data reaching HTML DOM sinks High
SENTINEL-CMDI Request data reaching shell execution Critical
SENTINEL-PATH Request data reaching filesystem paths High
SENTINEL-SSRF Request data controlling outbound destinations High
SENTINEL-EVAL Request data reaching eval or Function Critical
SENTINEL-SECRET Likely hardcoded credentials and private keys High
SENTINEL-CRYPTO MD5/SHA-1 in security-sensitive hash APIs High

Language profiles recognize common request sources, sanitizers, and security sinks across Express/Koa, browser APIs, Flask/Django-style Python, Spring/Servlet Java, ASP.NET, Go HTTP frameworks, PHP superglobals, Rails/Rack, and Rust web stacks.

Use it

  1. Search for Sentinel by Arcanum in the VS Code Extensions view and select Install. For a local build, install sentinel-local-security-2.1.0.vsix with Extensions: Install from VSIX... in the Command Palette.
  2. Reload VS Code when prompted, then open any supported source file.
  3. Findings appear in the editor and Problems panel as you type.
  4. Save the file to apply available deterministic fixes automatically.
  5. Click the red Sentinel status button to fix available findings manually, review Problems, scan files, or toggle fix-on-save.
  6. Place the cursor on a finding and press Ctrl+. / Cmd+. for its individual fix, explanation, or targeted suppression.
  7. Run Sentinel: Scan Workspace from the Command Palette for a full local scan.
  8. To replace an older local build, install the new VSIX again and reload the window.

The status bar shield shows the current finding count. Clicking it opens Sentinel's scan, fix, and review actions.

Automatic fixes

Fix-on-save is enabled by default in Sentinel 2.1.0. Available deterministic edits are applied inside VS Code's save transaction, so the corrected content is written to disk by the same save.

Before saving:

document.body.innerHTML = location.hash;
crypto.createHash("sha1");

After saving:

document.body.textContent = location.hash;
crypto.createHash("sha256");

Sentinel offers recognized DOM text-rendering fixes and language-appropriate weak-hash migrations for JavaScript/TypeScript, Python, Java, C#, Go, PHP, Ruby, and Rust. Go fixes update the crypto import and call together. Rust hash migrations require the project to provide the sha2 dependency.

Some findings cannot be rewritten safely without application context. SQL parameter syntax, URL and path allowlists, command argument structures, secret providers, and replacements for dynamic evaluation remain visible with remediation guidance instead of receiving a guessed edit.

Commands

  • Sentinel: Fix Safe Findings in Active File
  • Sentinel: Show Actions
  • Sentinel: Scan Active File
  • Sentinel: Scan Workspace
  • Sentinel: Clear Diagnostics

Configuration

Setting Default Purpose
sentinel.enabled true Enable analysis
sentinel.scanOnType true Analyze unsaved edits
sentinel.fixOnSave true Apply deterministic automatic fixes as part of saving
sentinel.debounceMs 350 Delay after typing
sentinel.minimumSeverity medium Minimum displayed severity
sentinel.maxFileSizeKB 1024 Per-file analysis limit
sentinel.maxWorkspaceFiles 2000 Workspace scan limit
sentinel.rules.disabled [] Rule IDs to disable

For a reviewed exception, use the Quick Fix or add:

// sentinel-ignore-next-line SENTINEL-XSS
element.innerHTML = trustedTemplate;

The marker also works inside each language's normal comment syntax, such as # sentinel-ignore-next-line SENTINEL-SQLI in Python or Ruby.

Offline and privacy design

  • Analysis is synchronous and in-memory inside the local/remote VS Code extension host selected by VS Code.
  • No source, finding, filename, configuration, or usage information is transmitted.
  • No telemetry SDK or networking package is included.
  • The production extension contains one esbuild bundle and one self-contained parser WASM asset; no parser is downloaded at runtime.
  • Workspace scans use VS Code's local filesystem APIs and exclude dependency, build, coverage, and vendor directories.

If VS Code is connected to a Remote SSH, Dev Container, or Codespace workspace, extensionKind: workspace means Sentinel runs where that workspace lives. It still makes no network requests, but the files may already reside on that remote system.

Build and test

Requires Node.js 20 or newer.

npm install
npm test
npm run lint
npm run check
npm run build
npm run package

Press F5 in this folder to launch an Extension Development Host.

Analysis boundaries

Sentinel is a focused local SAST assistant, not proof that an application is secure. Version 2 follows values within one parsed file using framework-aware language profiles. It does not resolve types or data flow across modules, model every framework, inspect runtime configuration, or replace dependency scanning, review, penetration testing, and defense-in-depth controls.

Batch fixing only applies non-overlapping fixes that Sentinel can express without inventing application policy. Fixes run as part of VS Code's save operation by default, so the corrected content is written to disk in the same save. Changes such as converting innerHTML to textContent can alter rendering, and changing a hash can affect compatibility. Disable sentinel.fixOnSave from the Sentinel status menu when every security edit must be previewed. SQL parameter styles, URL allowlists, safe filesystem roots, command arguments, and replacements for dynamic evaluation require application context; Sentinel preserves those findings and provides remediation instead of guessing.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft