Iris — Code Health for VS Code

Static code insights for JavaScript, TypeScript, Go, and Python. No AI, no analysis backend, no telemetry. Everything runs locally.

Version 1.0.0 - Enforcement Update: git hook pre-push blocking, build-hook enforcement, dependents table with CVE scanning, inline diagnostics, and hardcoded secrets detection. Iris now stops bad code from shipping, not just warns about it.

Install from Marketplace · Documentation · iriscode.co

Product truths that should not drift

• Iris is a VS Code extension first. The main product surfaces are the sidebar, detached panel, Problems diagnostics, Code Lens, status bar, welcome page, commands, and the Dependents Table.
• Analysis is local-first. Iris does use network requests for sign-in, license validation, and dependency/advisory lookups, so "no backend" is inaccurate; "no analysis backend" is correct.
• The git hook is a pre-push hook, not a pre-commit hook. It runs the bundled CLI against the workspace root and blocks the push when the configured threshold fails.
• .irisconfig.json is a Pro feature inside the VS Code extension. The CLI still reads .irisconfig.json directly when present.
• Trend tracking stores 2 rolling snapshots on Free and unlimited snapshots on Pro.
• The Dependents Table reads root manifests: package.json, go.mod, requirements.txt, and [project] dependencies in pyproject.toml.

What Iris does

Iris analyses your code as you work — every file open and save triggers a full analysis. The sidebar shows:

• Health score — 0–100 composite score per file and workspace
• Complexity score — 1–10 based on function density, nesting, and control flow
• Function list — every function with line number
• Code smells — console.log, magic numbers, TODOs, long parameter lists, unused variables, hardcoded secrets
• TypeScript metrics — any usages, @ts-ignore count, non-null assertions, missing return types
• Workspace analysis — aggregate stats, file type breakdown, largest/most complex files, unused packages (Pro)
• Problems tab — all warnings across the workspace in one place (Pro)
• TODOs tab — all TODO/FIXME/HACK comments aggregated (Pro)
• Dependents Table — audit all third-party dependencies for outdated versions and CVEs (Pro)

Supported languages

Free vs Pro

Pro is $6/month globally. Nigerian developers: ₦3,500/month.

Get Pro at iriscode.co

Quick start

1. Install Iris from the marketplace
2. Open any JS, TS, Go, or Python file — the sidebar populates instantly
3. Run Iris: Sign In from the command palette to activate your account
4. Run Iris: Analyse Workspace to scan your entire project (Pro)

Configuration

VS Code settings (free)

Configure Iris via VS Code settings (iris.*) — open Settings UI or settings.json. All thresholds and toggles are available.

.irisconfig.json (Pro)

Drop a .irisconfig.json at your project root and commit it — your whole team runs Iris with the same thresholds. Requires a Pro licence. Takes priority over VS Code settings:

{
  "functionLengthThreshold": 60,
  "fileLengthThreshold": 400,
  "enableConsoleLogWarnings": false,
  "enableSecretsDetection": true,
  "enableInlineDiagnostics": true,
  "inlineDiagnostics": {
    "consoleLogs": true,
    "todos": true
  },
  "minHealthScore": 80,
  "ignoreFiles": ["**/*.test.ts", "**/generated/**"],
  "ignoreFunctions": ["main", "handler"],
  "severityOverrides": {
    "no-exports": "warning",
    "file-too-long": "warning"
  }
}

Threshold settings

Feature toggles

Other settings

Hardcoded secrets detection

When iris.enableSecretsDetection is enabled, Iris flags string literals that look like secrets:

• Suspicious variable names assigned to string literals — key, token, secret, password, api, and similar
• Known secret formats — GitHub personal access tokens, Stripe API keys, AWS access key IDs, and others
• Placeholder values such as your_key_here, changeme, or todo are ignored and not flagged

Each finding reduces the file health score by 10 points - the highest penalty in the system. Variables flagged as hardcoded secrets are excluded from the unused variables list to avoid double-counting.

Inline diagnostics

When iris.enableInlineDiagnostics is enabled (default), Iris findings appear as squiggles in the editor and entries in VS Code's Problems panel — no need to open the sidebar to spot issues.

Default enabled categories

Severity follows severityOverrides

The severityOverrides setting affects both sidebar display and inline diagnostics:

{
  "severityOverrides": {
    "hardcoded-secret": "warning",
    "unused-function": "error"
  }
}

Supported diagnostic codes: hardcoded-secret, file-too-long, function-too-long, too-many-functions, too-many-imports, no-exports, any-usage, ts-ignore, unused-function, unused-var, console-log, magic-number, long-param-list, todo.

CLI

Iris ships a local CLI for running health checks in CI or from the terminal without VS Code.

npm run build
node dist/cli.js check [path] [--min-score <0-100>] [--format pretty|json] [--output <path>] [--verbose]

Examples:

node dist/cli.js check                                          # check cwd, threshold 70
node dist/cli.js check ./src --min-score 80                    # stricter threshold
node dist/cli.js check --format json                           # machine-readable output
node dist/cli.js check --format json --output iris-report.json # write JSON to file
node dist/cli.js check ./src --verbose                         # show per-file warnings

Exit codes: 0 all pass, 1 one or more fail, 2 invalid arguments.

Reads .irisconfig.json automatically (Pro). Add "minHealthScore": 80 there to set a project-wide default threshold. See cli/README.md for full docs.

Dependents Table (Pro)

Open Iris: Open Dependents Table from the Command Palette to audit your third-party dependencies. Requires Pro.

• Table view — lists every dependency with its installed version, latest version, status (up-to-date / outdated / vulnerable / unknown), and any CVEs. Click N CVEs to expand inline advisory details per package.
• Ecosystems supported — npm (package.json), Go (go.mod), Python (requirements.txt / pyproject.toml).
• Cache — results are cached locally for 24 hours in .iris-cache/ (gitignored automatically). Click Scan to force a fresh check.
• GitHub token — click ⚙ Token in the toolbar to store a GitHub PAT in VS Code's SecretStorage, raising the advisory API rate limit from 60 to 5,000 requests/hour.

See docs/dependents-table.md for full documentation.

Git hook (Pro)

Iris can install a pre-push hook that blocks pushes when any file's health score is below your configured threshold. Requires Pro. On first activation in a git repo, Pro users are offered the hook automatically. You can also manage it manually:

Set "minHealthScore": 80 in .irisconfig.json to control the threshold. See docs/git-hook.md for full details.

Build hook (Pro)

Iris can wire a health check into your build step so failing code cannot be built. Requires Pro.

• Node projects - adds a prebuild script to package.json. If a prebuild script already exists, Iris chains before it.
• Go / Python projects - injects an iris-check phony target into your Makefile (creating it if absent) and wires it as a prerequisite on the first build: or all: target found.

The sidebar shows a "Build Hook" section next to the Git Hook section so you can see install status at a glance. See docs/build-hook.md for full details.

Commands

Privacy

Your code never leaves your machine. All analysis runs entirely locally. Iris makes network requests only for account management (sign-in, license validation) and the dependents table (npm/PyPI/Go Proxy version checks and GitHub Advisory API for CVEs). No code, file contents, or project structure is ever transmitted.

Documentation · Pricing · Support