AppsecD

Shift-left AppSec for VS Code & Cursor. Catch vulnerabilities, secrets, and risky patterns at the moment of git commit — long before they reach CI, code review, or a PR comment.

Powered by appsec.shiprocket.in — the same SAST + AI engine that scores Shiprocket's production code.

Why AppsecD?

It runs locally on staged changes, so security feedback shows up next to the line you just typed — not next to the merge button.

What it does

• Pre-commit + pre-push scan of changed files (configurable per severity threshold; defaults to high blocks, medium warns).
• Multi-engine SAST behind the scenes: Semgrep + Trivy + custom Shiprocket rule packs — same rules that gate Shiprocket's production PRs.
• Secret detection for AWS / GitHub / Stripe / Slack / JWT and 20+ provider patterns; bypass-detection on the server side catches --no-verify commits via the GitHub App.
• AI-powered explain + fix-action per finding (Anthropic / Google / OpenAI via the Shiprocket-AI gateway). One click to apply the AI-suggested patch as a vscode.WorkspaceEdit.
• Org-managed policy — severity thresholds, exclude globs, AI mode, and per-org quotas configured by your admin at https://appsec.shiprocket.in/admin/settings/extension. The extension respects org policy automatically (no per-dev override of org-stricter settings).
• Per-user observability at https://appsec.shiprocket.in/settings/extension — your own scans, blocked commits, AI cost, and connection state.

Install

VS Code Marketplace / Cursor (Open VSX) — recommended

Search "AppsecD" in your editor's extension panel and install. Auto-updates as new versions ship.

Manual .vsix (air-gapped or self-host)

Download the latest .vsix from your org's AppsecD portal at /admin/settings/extension → Section A: Download & install. Drag- drop into VS Code / Cursor.

Sign in

After install, open the command palette (Ctrl/Cmd+Shift+P):

• AppsecD: Sign in with GitHub — opens your browser to the device-code consent page, then auto-completes the sign-in once you approve.
• AppsecD: Sign in with Email — same flow, your org's SSO / email login.

After sign-in, run AppsecD: Install Git hooks inside the workspace you want scanned. From here on, every git commit triggers a scan.

Configuration

All settings under appsecd.* in VS Code settings:

Org policy can tighten these from /admin/settings/extension → Section F: Policy — the stricter of local-or-org wins.

Privacy

• Source code is sent to the AppsecD backend only on scan submission; it's never retained beyond the scan's lifetime unless your org explicitly opts in to longer retention (extension_retain_code_seconds in admin settings).
• Telemetry is opt-in, off by default (appsecd.telemetry.enabled = false).
• Right-to-erasure: DELETE /api/extension/my/data (or click "Delete my data" on /settings/extension) scrubs your scans, sessions, and AI calls — audit shell stays for compliance per plan §19.12.

Links

• Portal: https://appsec.shiprocket.in
• Per-user dashboard: https://appsec.shiprocket.in/settings/extension
• Source: https://github.com/ssecurityy/AppsecD
• Issues: https://github.com/ssecurityy/AppsecD/issues
• Open VSX: https://open-vsx.org/extension/bira/appsecd-vscode
• Operator runbook: docs/IDE_EXTENSION_OPERATOR_RUNBOOK.md