Deva Security
In-editor security scanning, AI-assisted fixes, and compliance framework mapping for VS Code, Cursor, Windsurf, and any VS Code-API-compatible IDE.
What it does
- Scan — OpenGrep-powered SAST across 185+ rulepacks. Findings appear as native VS Code diagnostics with CWE links and remediation hints.
- Map — Every finding maps to compliance controls across NIST 800-53, ISO 27001, HIPAA, SOC 2, FedRAMP, CIS Top 18, OWASP Top 10, PCI DSS, and more.
- Fix — Click the lightbulb on any finding to generate a fix with an LLM. Streaming preview, side-by-side diff, apply with one click.
- Export — SARIF, JUnit, and agent-json formats for CI consumption.
Screenshots
Native VS Code diagnostics with CWE links, severity-grouped Findings tree, and a live scan progress toast.
Severity tally, top compliance coverage, quick actions, findings, and posture across 17 frameworks — all in one panel.
LLM modes
Deva works fully offline by default. You pick where AI features run:
local-deva (default) — Fine-tuned Deva models via local Ollama. Free. Private.local-ollama — Any model in your local Ollama.byok — Your own Anthropic / OpenAI / Gemini key. The provider bills you.cloud-frontier — Frontier models on a Deva subscription with team management.
Switch any time via Deva: Switch LLM Mode in the Command Palette.
This release ships engine binaries for:
- macOS (Apple Silicon) —
darwin-arm64
- Linux (x86_64) —
linux-x64
- Windows (x86_64) —
win32-x64
Intel Mac (darwin-x64) and Linux ARM (linux-arm64) are not yet supported — the extension will install but scans will fail with a "platform not yet supported" error.
First-run network access
On first activation, Deva downloads its scanning engine and the OpenGrep binary (~65–90 MB total, depending on platform) from the public Deva CDN:
https://pub-55d597d59a86409c96832aa5da1ec422.r2.dev/engine/...
If you're behind a corporate proxy or firewall, allowlist that host. After the engine is cached in VS Code's globalStorage, scanning works offline.
Privacy & data handling
Deva is offline-first. What leaves your machine depends on the LLM mode you pick:
| Mode |
Source code leaves your machine? |
Where it goes |
local-deva (default) |
No |
Local Ollama only |
local-ollama |
No |
Local Ollama only |
byok |
Yes, on AI-fix actions |
Direct to Anthropic / OpenAI / Gemini using your key |
cloud-frontier |
Yes, on AI-fix actions |
Deva proxy → upstream provider |
- BYOK API keys are stored in VS Code SecretStorage and never written to settings or disk.
- Static scanning (the default workflow) is local in every mode — only AI-fix and AI-validation calls send code, and only in the modes shown above.
- Deva does not collect telemetry from this extension. Authentication for
cloud-frontier uses Firebase OAuth and only stores an account ID + token in SecretStorage.
Repository layout
.
├── package.json Extension manifest
├── src/ TypeScript extension code
│ ├── extension.ts Activation entry
│ ├── auth/ Firebase OAuth provider
│ ├── backend/ Engine lifecycle + HTTP client + installer
│ ├── codeActions/ AI-fix code actions
│ ├── commands/ Command palette entries
│ ├── diagnostics/ Findings → vscode.Diagnostic
│ ├── llm/ Mode router, proxy client, BYOK clients
│ ├── output/ SARIF / JUnit / agent-json export
│ ├── types/ Wire types (mirrors Pydantic models)
│ ├── views/ Findings tree, compliance tree, status bar
│ └── webviews/ Compliance posture matrix
├── engine/ Python scanning engine (ports to PyInstaller)
│ ├── backend/ FastAPI server (slimmed to 7 routers)
│ ├── compliance_seeds/ Framework data
│ ├── rulepacks/ OpenGrep rules
│ ├── scripts/ Build + verify scripts
│ ├── src/dsc/ Scanner library
│ ├── tests/ Compliance-correctness tests
│ └── vendor/ OpenGrep + reference compliance data
├── resources/
│ ├── icons/ Activity bar icon
│ ├── sample-vulns/ Bundled vulnerable code samples
│ └── walkthroughs/ Onboarding markdown
└── test/ Extension-host integration tests
Development
# One-time
npm install
# Build
npm run build
# Watch (rebuild on change)
npm run watch
# Run the extension in a fresh Extension Host
# (Use the "Run Extension" debug config in VS Code)
# Run the engine locally for development
bash engine/scripts/dev-engine.sh
CI
The compliance test suite is the engine-correctness gate; it must pass on every PR:
bash engine/scripts/test-compliance.sh
CI must install OpenGrep before running the gate. The release workflow's engine/vendor/opengrep/setup.sh script handles this automatically when a job needs to scan during build.
Releasing
Two independent version axes (extension VSIX vs. engine bundle). Read
RELEASING.md before bumping versions or pushing tags. The
short version: if your PR touches engine/, the engine version bumps and
gets a new engine-vX.Y.Z tag after merge; if it's TS-only, no bump needed.
License
MIT — see LICENSE.txt.
