Carapace — Security Scanner for VS Code
Catch vulnerabilities, code smells, and security misconfigurations directly in your editor. Powered by Carapace's 96-rule pattern engine.
Features
- Inline diagnostics — Security findings appear as squiggly underlines in your code with severity-based coloring (errors, warnings, hints)
- Scan on save — Automatically scans your code every time you save a file
- 96 detection rules — SQL injection, XSS, SSRF, reentrancy, hardcoded secrets, prototype pollution, and more
- Multi-language — JavaScript, TypeScript, Python, Go, Java, Ruby, PHP, Solidity, Rust
- Quick Fix actions — Apply suggested fixes directly from the lightbulb menu
- Configurable severity — Filter findings by minimum severity level
Commands
Open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and run:
| Command |
Description |
Carapace: Scan Workspace |
Scan the entire workspace |
Carapace: Scan Current File |
Scan from the active file's workspace |
Settings
| Setting |
Default |
Description |
carapace.scanOnSave |
true |
Automatically scan files on save |
carapace.staticOnly |
true |
Static analysis only (faster, no AI calls) |
carapace.failSeverity |
info |
Minimum severity to display (critical, high, medium, low, info) |
Requirements
- Node.js 18+
- The
carapace CLI is installed automatically via npx carapace on first scan
Links
| |
