Endor Labs Extension for VS Code

Endor Labs provides a plug-in for Visual Studio Code that developers can install from Visual Studio's marketplace and get started with early vulnerability and dependency scanning. The Endor Labs extension for Visual Studio Code scans your repositories and highlights issues that may exist in the open-source dependencies.

The extension helps developers fix code at its origin phase and during the early stages of development without running the endorctl scan. Developers can successfully perform early security reviews and mitigate the need for expensive fixes during later stages of development. It accelerates the process of creating, delivering, and shipping secure applications. You can use the extension with Endor Labs API credentials.

Prerequisites

The following prerequisites must be fulfilled to use the Endor Labs VS code extension:

• The minimum supported version of Visual Studio Code is 1.71 and higher.

• See the following table for supported languages, package managers, and file extensions. The extension reads the manifest files to fetch the list of dependencies and displays the results in both manifest and source code files.

  Supported Language	Manifest file	Source code file
  JavaScript	package.json	.js, .ts, .jsx, .tsx, .mjs, .cjs extensions
  Python	requirements.txt	.py extension
  Golang	go.mod	.go extension

• Generate Endor Labs API keys and have them handy. You must enter these details in the VS code extension. See Managing API Keys for details.

Install the Endor Labs extension

Developers can install the extension from Visual Studio's marketplace and configure it with Endor Labs API keys.

1. Launch Visual Studio Code and click Extensions.
2. Look for the Endor Labs using the search bar and click Install. See Visual Studio Extension documentation for details on managing the extension.
3. Select the Endor Labs extension, click the Settings icon, and choose Extension Settings.
4. Enter the API Key and API Secret of the Endor Labs application.

View scan results

The Endor Labs Visual Studio extension reads all the manifest files in your project and fetches the list of dependencies.

• Hover over a dependency to view the package version, released date, findings, and Endor Labs scores in a pop-up.
• Issues with dependencies are classified into severities critical, high, medium, and low to assist in prioritization.
• Click a specific version to view the same results in the Endor Labs application's user interface.
• The dependencies are color-coded in the following ways:
  • Red underline - Has critical findings and is also on an outdated version
  • Orange underline - Has critical findings and is on the latest version
  • Yellow underline - Has no critical findings but is an outdated version
  • No Underline - Has no critical findings and is on the latest version
• Use Update to latest version to update the package to its latest version.

Note: The manifest file is updated with the latest version however, the package is not automatically upgraded.