Audit Language Support
VS Code extension for Nessus / CIS .audit files — full-featured syntax highlighting, beautifier, validator, snippets, outline, and block-style visualizer. Tested against 1,568 real Tenable portal audit files.
Install
From VSIX (local):
- Download
audit-language-support-X.Y.Z.vsix from Releases (or build it yourself — see below).
- In VS Code:
Ctrl+Shift+P → "Extensions: Install from VSIX..." → pick the .vsix.
- Reload the window.
Or via command line:
code --install-extension audit-language-support-X.Y.Z.vsix
Features
Syntax highlighting
- File association for
*.audit
- XML-like tags (
<custom_item>, <if>, <condition>, <then>, <else>, <report>, etc.)
- Single AND double quoted strings (Tenable's Windows audits use single quotes for
info/solution heavily)
- Field-color groups — distinct colors per semantic role:
- Identity (purple) —
description
- Prose (soft green) —
info, solution
- Pattern (warm coral) —
regex, expect, not_expect, cmd
- Target (teal) —
file, rpm, name, service, reg_key, svc_name
- Citation (muted gray) —
reference, see_also
- Severity-tinted values —
CRITICAL red, HIGH orange, MEDIUM yellow, LOW green, INFO blue
- ~80 known check types highlighted as enums (
CMD_EXEC, REGISTRY_SETTING, AUDIT_POWERSHELL, etc.)
- Comment lines (
#-prefixed) muted; <ui_metadata> block recognized
\" escape handling, including trailing-quote registry-path quirk
- Aligns
key : value columns within each <custom_item> block (per-block, longest-key wins)
- Re-indents tags by depth
- Wraps long
info / solution prose at auditFormatter.wrapColumn (default 120), continuation aligned under the opening quote
- Comma-wraps long
reference values at token boundaries
- Single + double quote aware
- Preserves shell-command examples and CLI snippets verbatim inside prose
- Trigger:
Shift+Alt+F, right-click menu, status-bar Beautify button, or Audit: Beautify File from Command Palette
Validator (Problems panel)
- Tag balance / nesting / unclosed-tag detection
- Universal-required-key check (
description, plus info/solution/reference on strict Windows/Unix audits)
- Type-specific required-key check for ~30 types (CMD_EXEC needs
cmd + expect|not_expect, REGISTRY_SETTING needs reg_key + reg_item + value_type + value_data, etc.) with any-of alternatives for multi-platform variants
- Duplicate description detection — skips legitimate CIS
<then>/<else> mutually-exclusive branch patterns and <condition> probe duplicates
<if> structure validation (must have <condition> + <then>)@VARIABLE@ reference validation against <ui_metadata><variables><debug/> flag info diagnostic- File-wide consistency rule: only warns about missing info/solution/reference if ≥80% of items in the file have it (avoids noise on minimal-format files like AIX, MSCT)
- Platform-aware strictness — Windows/Unix strict; Cisco / ArubaOS / Brocade / cloud-native files lenient
Snippets (30 templates)
Type a prefix in any .audit file:
| Prefix |
Block |
audit-checktype |
<check_type:"..."> wrapper |
audit-group |
<group_policy:"..."> section |
audit-if, audit-if-and, audit-if-or |
full <if>/<condition>/<then>/<else> blocks |
audit-report |
<report type:"PASSED|FAILED|WARNING"> |
audit-cmd |
Unix CMD_EXEC |
audit-filecontent, audit-filecontentnot, audit-filecheck |
Unix file checks |
audit-rpm, audit-process, audit-banner, audit-chkconfig |
Unix system checks |
audit-regset, audit-auditpolicy, audit-userrights, audit-passwordpolicy, audit-lockoutpolicy, audit-servicepolicy, audit-wmi |
Windows checks |
audit-powershell, audit-allowedports |
Modern Windows checks |
audit-config, audit-offlineconfig |
Network device checks |
audit-sql |
Database SQL_POLICY |
audit-debug |
<debug/> flag |
audit-cmdbash |
multi-line shell cmd body |
Tabstop dropdowns for severity / platform / condition type — no need to remember enum values.
Tenable docs shortcuts
Audit: Open Tenable Compliance Checks Reference — opens the official Tenable Compliance Checks Reference in your browserAudit: Look Up Check Type at Cursor — context-aware: scans up from the cursor for the nearest type: line and opens a Tenable-docs-scoped search for that check type. Falls back to an input prompt if no type: is found. Available from the right-click menu, command palette, or via editor/context
Outline + Visualizer
- Built-in Outline panel (Explorer sidebar) — full tag tree, breadcrumbs, sticky scroll,
Ctrl+Shift+O for symbol search. Click any node → editor jumps and selects the whole block.
- Audit Outline (custom Explorer view) — same tree plus toggle buttons in the title bar:
- Group by Structure (default)
- Group by Type — flattens custom_items grouped by
type: value, sorted by count
- Group by Severity —
CRITICAL/HIGH/MEDIUM/LOW/INFO groups
- Block-style flowchart visualizer (webview, opens beside) — nested colored cards with collapse/expand per block. Header tinted by tag kind (
check_type blue, if yellow, then green, else red, etc.), severity-badged custom_items. Toolbar: Expand all / Collapse all / Collapse leaves / live filter search.
- Trigger via
Audit: Show Conditional Flowchart command, right-click menu, or editor title bar icon
- Click any block → editor jumps to that line
- Auto-refreshes as you edit the file
Settings
All settings are under auditHighlighter.* and auditFormatter.*. Find them via Ctrl+, → search "audit":
Field colors (5 groups)
| Setting |
Default |
Affects |
auditHighlighter.identityColor |
#C586C0 |
description values |
auditHighlighter.proseColor |
#A9C77B |
info, solution values |
auditHighlighter.patternColor |
#CE9178 |
regex, expect, not_expect, cmd values |
auditHighlighter.targetColor |
#4EC9B0 |
file, rpm, name, service, reg_key, svc_name values |
auditHighlighter.citationColor |
#7F848E |
reference, see_also values |
Severity colors
| Setting |
Default |
Severity |
auditHighlighter.severityCriticalColor |
#F44747 |
CRITICAL |
auditHighlighter.severityHighColor |
#FF8C42 |
HIGH |
auditHighlighter.severityMediumColor |
#DCDCAA |
MEDIUM |
auditHighlighter.severityLowColor |
#98C379 |
LOW |
auditHighlighter.severityInfoColor |
#4FC1FF |
INFO |
Other highlight colors
| Setting |
Default |
Purpose |
auditHighlighter.tagColor |
#E06C75 |
XML-like tags |
auditHighlighter.keyColor |
#61AFEF |
key names on key : value lines |
auditHighlighter.stringColor |
#D7DCE2 |
generic quoted strings |
auditHighlighter.commentColor |
#5F7A5C |
#-prefixed comments |
auditHighlighter.enumColor |
#E5C07B |
enum tokens (CMD_EXEC, POLICY_DWORD, AND, OR, etc.) |
auditHighlighter.braceContentColor |
#98C379 |
content inside { ... } braces |
| Setting |
Default |
Purpose |
auditFormatter.wrapColumn |
120 |
Wrap column for info/solution/reference. Set to 99999 to disable physical wrapping. |
Auto-applied per-language defaults
When you open an .audit file, the extension also sets:
"[audit]": {
"editor.insertSpaces": true,
"editor.tabSize": 2,
"editor.wordWrap": "on",
"editor.wrappingIndent": "indent"
}
Override any of these in your user settings if needed.
Build the VSIX yourself
git clone https://github.com/Leng-Phirun/audit-highlighter.git
cd audit-highlighter
npx @vscode/vsce package
Produces audit-language-support-X.Y.Z.vsix in the repo root.
Development
git clone https://github.com/Leng-Phirun/audit-highlighter.git
cd audit-highlighter
code .
Press F5 to launch an Extension Development Host. Edit extension.js, then Ctrl+R in the dev host to reload.
License
MIT — see LICENSE.
Author
Leng Phirun
| |
