Blacklock SAST Security Scan
Perform a security scan on your source code as you write. Find vulnerabilities in source code, dependencies, and infrastructure configs -- all without leaving your editor.
Works with: VS Code | Claude Code | OpenAI Codex CLI
What It Does
- Scans source code for SQL injection, XSS, hardcoded secrets, logic flaws, and more
- Scans dependencies for known CVEs and suggests fixed versions
- Scans infrastructure configs (Dockerfiles, Kubernetes, Terraform) for misconfigurations
- Gives you a health score (0-100) for your project's security posture
- Auto-installs scanning tools (opengrep, trivy) on first use -- no manual setup
- Caches results per-file with content hashing -- only re-scans files that actually changed
- AI assistants (Claude/Codex) can fix findings and verify the fix in one shot
Quick Start
Download the latest bl-codescan binary from Releases, then follow the setup for your tool below.
VS Code Extension
Real-time security scanning with inline diagnostics, a dedicated findings panel, and dependency vulnerability detection.
Install
Build the extension:
git clone https://github.com/blacklock-security/block-ide-plugins.git
cd block-ide-plugins
npm install && npm run compile && npx vsce package
In VS Code: Ctrl+Shift+X > ... menu > Install from VSIX > select the .vsix file.
How to Use
The extension scans automatically on save. You can also run scans manually from the Command Palette (Ctrl+Shift+P):
Blacklock SAST: Scan Current File
Blacklock SAST: Scan Entire Workspace
Blacklock SAST: Scan Dependencies
Findings show up as inline squiggly underlines, in the Problems panel, and in the Blacklock sidebar.
Settings
Search "Blacklock" in VS Code Settings (Ctrl+,):
| Setting |
Default |
What it does |
runOnSave |
true |
Scan when you save a file |
debounceDelay |
1000 |
Wait time (ms) before scanning after edits |
configPath |
"auto" |
Custom rule config path, or "auto" for defaults |
maxFileSize |
500000 |
Skip files larger than this (bytes) |
Claude Code Plugin
An MCP server that gives Claude 9 security scanning tools, plus a post-edit hook that automatically scans every file Claude touches.
Install
mkdir -p ~/.claude/plugins/blacklock-codescan
cp -r claude-code-plugin/{bin,hooks,commands,mcp.json,shield.config.json} ~/.claude/plugins/blacklock-codescan/
chmod +x ~/.claude/plugins/blacklock-shield/bin/blacklock-codescan
Restart Claude Code.
Commands
/bl-codescan:audit Full audit (source + deps + infra + health score)
/bl-codescan:source Source code scan only
/bl-codescan:deps Dependency CVE scan
/bl-codescan:infra Infrastructure config scan (Docker, K8s, Terraform)
/bl-codescan:triage Filter findings by severity/category/engine
/bl-codescan:details <file> Scan a specific file (or show cached results)
/bl-codescan:verify <finding-id> Check if a finding was fixed
/bl-codescan:autoscan on|off Toggle auto-scan after every edit
/bl-codescan:health Quick health score (0-100)
Triage Options
/bl-codescan:triage severity=CRITICAL
/bl-codescan:triage severity=HIGH,CRITICAL category=injection
/bl-codescan:triage engine=SOURCE
Example Prompts
/bl-codescan:audit
"Fix all critical and high findings, then re-run the audit"
/bl-codescan:deps
"Upgrade all vulnerable packages to their fixed versions"
/bl-codescan:details src/auth/login.py
"Is the SQL query on line 42 actually vulnerable?"
/bl-codescan:infra
"Fix the Dockerfile issues and add a non-root USER"
/bl-codescan:autoscan on
"Now write me a new API endpoint for user registration"
(Claude auto-scans after every edit)
"Run a security audit, fix anything critical, and verify the fixes"
(Claude runs audit, makes fixes, then verifies -- all automatically)
Codex CLI Plugin
An MCP skill that registers 9 security tools Codex can call on its own. Supports text, json, and sarif output formats.
Install
cd block-ide-plugins/codex-plugin
bash setup.sh
This copies the skill to ~/.codex/skills/blacklock-codescan/, registers the MCP server in ~/.codex/config.toml, and installs scanning tools if missing. Restart Codex CLI.
Commands
$bl-codescan audit Full audit (source + deps + infra + health score)
$bl-codescan source Source code scan only
$$bl-codescan source Source code scan only deps Dependency CVE scan
$$bl-codescan source Source code scan only infra Infrastructure config scan
$$bl-codescan source Source code scan only triage Filter findings by severity/category/engine
$$bl-codescan source Source code scan only details <file> Scan a specific file (or show cached results)
$$bl-codescan source Source code scan only verify <id> Check if a finding was fixed
$$bl-codescan source Source code scan only autoscan on|off Toggle auto-scan after every edit
$$bl-codescan source Source code scan only health Quick health score (0-100)
Triage Options
$$bl-codescan source Source code scan only triage severity=CRITICAL engine=SOURCE
$$bl-codescan source Source code scan only triage category=injection
Example Prompts
$$bl-codescan source Source code scan only audit
"Fix all critical findings and re-run the audit"
$$bl-codescan source Source code scan only deps
"Upgrade every vulnerable package to the fixed version"
$$bl-codescan source Source code scan only details src/api/handler.go
"Is this actually exploitable?"
$$bl-codescan source Source code scan only autoscan on
"Refactor the auth module"
(Codex auto-scans after every edit)
"Check this project for security issues, fix anything critical, then verify"
(Codex picks the right tools automatically)
Building from Source
cd blacklock-shield
cargo build --release
# Binary: target/release/blacklock-codescan
License
MIT -- see LICENSE.
Support