Deva Security
In-editor security scanning, AI-assisted fixes, and compliance framework mapping for VS Code, Cursor, Windsurf, and any VS Code-API-compatible IDE.
What it does
- Scan — OpenGrep-powered SAST across 185+ rulepacks. Findings appear as native VS Code diagnostics with CWE links and remediation hints.
- Map — Every finding maps to compliance controls across NIST 800-53, ISO 27001, HIPAA, SOC 2, FedRAMP, CIS Top 18, OWASP Top 10, PCI DSS, and more.
- Fix — Click the lightbulb on any finding to generate a fix with an LLM. Streaming preview, side-by-side diff, apply with one click.
- Export — SARIF, JUnit, and agent-json formats for CI consumption.
Screenshots
Native VS Code diagnostics with CWE links, severity-grouped Findings tree, and a live scan progress toast.
Severity tally, top compliance coverage, quick actions, findings, and posture across 17 frameworks — all in one panel.
LLM modes
Deva works fully offline by default. You pick where AI features run:
local-deva (default) — Fine-tuned Deva models running locally. Free. Private.local-ollama — Any model in your local Ollama.byok — Your own Anthropic / OpenAI / Gemini key. The provider bills you.cloud-frontier — Frontier models on a Deva subscription with team management.
Switch any time via Deva: Switch LLM Mode in the Command Palette.
This release ships engine binaries for:
- macOS (Apple Silicon) —
darwin-arm64
- Linux (x86_64) —
linux-x64
- Windows (x86_64) —
win32-x64
Intel Mac (darwin-x64) and Linux ARM (linux-arm64) are not yet supported — the extension will install but scans will fail with a "platform not yet supported" error.
First-run network access
On first activation, Deva downloads its scanning engine and the OpenGrep binary (~65–90 MB total, depending on platform) from the public Deva CDN:
https://pub-55d597d59a86409c96832aa5da1ec422.r2.dev/engine/...
If you're behind a corporate proxy or firewall, allowlist that host. After the engine is cached in VS Code's globalStorage, scanning works offline.
Privacy & data handling
Deva is offline-first. What leaves your machine depends on the LLM mode you pick:
| Mode |
Source code leaves your machine? |
Where it goes |
local-deva (default) |
No |
Stays on your machine |
local-ollama |
No |
Local Ollama only |
byok |
Yes, on AI-fix actions |
Direct to Anthropic / OpenAI / Gemini using your key |
cloud-frontier |
Yes, on AI-fix actions |
Deva proxy → upstream provider |
- BYOK API keys are stored securely by your editor — never written to settings, disk, or any Deva-managed location.
- Static scanning (the default workflow) is local in every mode — only AI-fix and AI-validation calls send code, and only in the modes shown above.
- Deva does not collect telemetry from this extension.
cloud-frontier sign-in stores only a session token locally; no credentials are persisted in plaintext.
License
Proprietary. Use is governed by the Deva Security End User License Agreement — see LICENSE.txt. Copyright (c) DevSecCode, Inc. All rights reserved.
