Safe Commit
Real-time SAST, secret, SCA, and SBOM scanning inside VS Code. Findings appear as squiggles and sidebar cards the moment you save.
Scanners
| Scanner |
Status |
| SAST — code vulnerabilities |
✅ |
| Secrets — hardcoded credentials |
✅ |
| SCA — vulnerable dependencies |
⏳ Coming soon |
| SBOM — bill of materials |
⏳ Coming soon |
Engines download and cache automatically on first use.
Quick start
- Open the Safe Commit panel in the activity bar.
- Run Install / Update Engine to fetch the scanner binaries.
- Save any file — findings appear instantly.
Features
Scan types
| Mode |
What shows |
| Full |
Every finding |
| Baseline |
Only findings new since a saved snapshot |
| Diff |
Only findings on lines you changed vs a git ref |
Switch with Set Scan Mode. Set the diff base via safeCommit.diffBase (e.g. HEAD, main).
Ad-hoc scans
- Scan Current File — scan the active editor on demand
- Scan Workspace — scan every non-excluded file
- On save — automatic, debounced, language-scoped (toggle:
safeCommit.scanOnSave)
Ignore finding / Ignore rule
Hover the squiggle → lightbulb → Ignore this finding or Ignore rule "…". Ignores persist by fingerprint — they survive edits elsewhere in the file.
Restore anything via Manage Ignored Findings or Restore All Ignored.
Autofix
Findings with an available fix show a ⚡ Apply fix CodeLens above the line and a preferred lightbulb action. One click applies the replacement; the file isn't auto-saved so you review first.
Baseline
- Scan Workspace → Set Baseline — snapshots current findings as "known issues".
- Switch to Baseline mode — only new findings surface from here on.
Group & filter
In the Findings sidebar, group by File, Severity, Rule, or Scanner. Filter by severity or show fixable only.
Navigate
|
|
| Next finding |
Alt+F8 |
| Previous finding |
Shift+Alt+F8 |
| Summary / jump to file |
Status bar → Show Findings Summary |
Configuration
| Setting |
Default |
Notes |
scanOnSave |
true |
Auto-scan on save |
scanMode |
full |
full / baseline / diff |
diffBase |
HEAD |
Git ref for diff mode |
severityThreshold |
info |
Minimum severity reported |
excludeGlobs |
node_modules, dist, … |
Paths to skip |
scanTimeoutMs |
60000 |
Per-engine timeout (ms) |
maxJobs |
0 |
CPU cores; 0 = all |
sast.enabled |
true |
Toggle SAST |
sast.path |
"" |
Custom engine binary |
sast.config |
"" |
Custom rules directory |
secrets.enabled |
true |
Toggle secrets scanner |
secrets.path |
"" |
Custom secrets binary |
Privacy
Everything runs locally. No code leaves your machine. Binaries are fetched from public GitHub releases once, then cached offline.
License
Distributed under the terms in the LICENSE file included with this extension.
