Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>CMB Risk ScanNew to Visual Studio Code? Get it now.
CMB Risk Scan

CMB Risk Scan

dabaoabc

| (0) | Free
Scans saved Git-diff lines with the internal Java security SDK.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

CMB Risk Scan

CMB Risk Scan is a local VS Code extension that scans saved Git-diff lines for security risks.

Prerequisites

  • Local VS Code 1.100 or newer
  • A trusted local file workspace
  • JRE 8 or newer
  • A locally downloaded app_risk_scan_sdk JAR

Configuration

Configure these resource-level settings for each workspace folder:

  • securityScan.tenantId: tenant ID as a decimal string
  • securityScan.env: target environment (DEV, ST, UAT, or PRD)
  • securityScan.commitUser: employee ID used for the scan request
  • securityScan.repoUrl: optional repository URL override
  • securityScan.branch: optional branch override

Configure these machine-level settings:

  • securityScan.sdkJarPath: required path to the pre-downloaded scanner SDK JAR
  • securityScan.javaPath: optional absolute Java executable path when Java is not available on PATH

For example:

{
  "securityScan.sdkJarPath": "/path/to/app_risk_scan_sdk-1.0.10-jar-with-dependencies.jar"
}

Run Risk Scan: Set Token (securityScan.setToken) to store the scan token in VS Code secret storage. Never put a real token or other secret in workspace settings or source files.

Windows debug page

An installed VSIX can be diagnosed without extension source code. Open the VS Code Command Palette with Ctrl+Shift+P and run Risk Scan: Open Debug Page.

The page reports the detected Java runtime, configured SDK JAR, workspace trust and locality, Git repository and branch, token presence, and Java Bridge state. It also shows redacted logs from the current VS Code session. Token values are never displayed or copied.

Use Recheck environment after changing VS Code settings, Restart Bridge after correcting Java or JAR problems, and Copy diagnostics to collect a safe troubleshooting report. Set Token opens the same secure VS Code input used by the Command Palette. These diagnostic commands remain available even when Java, the SDK JAR, or the Bridge cannot start.

For temporary SDK troubleshooting, set securityScan.revealSdkLogs to true and restart the Bridge. SDK stderr is then shown after Token, password-like assignments, and statements pass through the extension redactor. The output may still contain internal paths or SDK implementation details, so disable this setting after debugging.

Local stub SDK

When the internal scanner SDK is unavailable, build the development-only Stub SDK:

npm run build:stub-sdk

Configure securityScan.sdkJarPath with the absolute path to sdk-stub/target/risk-scan-sdk-stub.jar. The Stub uses the same external-JAR discovery and reflection path as the real SDK. It returns one PASSWORD_SEC risk only when a saved Git-increment line matches password: 123456; all other input returns no risks. The Stub JAR is excluded from the production VSIX.

Run npm run verify:stub-sdk to build both JARs and verify the complete Bridge-to-Stub reflection call.

Validation flow

The validation build scans only after a file is saved. It calculates the new-side lines changed from Git HEAD and sends only that increment for analysis. Only the PASSWORD_SEC rule is enabled; other rules and unsaved editor changes are not scanned.

At startup, the extension validates securityScan.sdkJarPath and loads that local SDK JAR directly. It does not download the scanner SDK, and the SDK is not bundled in the VSIX. This temporary local-file flow trusts the explicitly configured JAR and does not perform an embedded SHA-256 check.

The Java Bridge is persistent: one process serves multiple saved-file scans. SDK log lines are isolated from the prefixed protocol and their content is omitted from extension logs. If Git HEAD cannot provide a reliable increment and there are no saved editor-change lines, scanning is skipped instead of falling back to the whole file.

Development verification

Use JDK 17 and Maven to build the Java 8-compatible Bridge, then run:

npm run check
npm run build:bridge
npm run bundle
npm run test:e2e
npm run package

Real SDK validation must run inside the company network. See docs/real-sdk-validation.md for the sanitized validation matrix.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft