FossID Agentic SCA for VS Code

This extension is proprietary software owned by FossID AB, available through authorized marketplaces for use with a valid FossID subscription.

Stop shipping unknown open-source risk. FossID scans your codebase for open-source components, license obligations, and CVE vulnerabilities — surfacing findings inline, before they become a compliance or security problem.

Stop open source and software supply chain risk from moving downstream. FossID for VS Code brings Software Composition Analysis directly into the editor, helping developers identify open source components, license obligations, and known vulnerabilities as code is created. With AI agent integration, teams can move from periodic review to continuous, contextual compliance inside the development workflow.

Features

Open-source component detection

Identify open source components in your workspace, including direct, transitive, embedded, AI-generated and copied code that package managers cannot fully capture.

License compliance analysis

Detect copyleft licenses such as GPL and AGPL, modified or tampered license files, and other policy violations. Compare license text in your repository against canonical license text with a side-by-side diff.

CVE vulnerability detection

Surface known vulnerabilities associated with detected open source components, including severity metadata to help teams assess and prioritize remediation.

SBOM generation

Generate a Software Bill of Materials from your workspace to support audits, procurement reviews, release approvals, and software supply chain compliance workflows.

Inline editor integration

Review findings where developers already work. FossID findings appear as inline highlights and Problems panel entries, with diagnostics that link directly to the relevant file location. Resolved findings are cleared automatically on save, reducing manual cleanup and keeping feedback current.

AI assistant integration

FossID exposes its tools through MCP extensions, skills and hooks, enabling MCP-compatible AI chat clients to combine scanning, analysis, and editor actions through natural language.

"Scan this workspace and give me a risk overview."
"Find all files with GPL-3.0 licenses and push them to the Problems panel."
"Show a diff between the canonical MIT license text and my LICENSE file."

Supported AI Chat Clients

Client	Status
Claude Code (VS Code extension)	Supported
GitHub Copilot Chat (Agent Mode)	Supported
Cursor	Supported
Windsurf	Supported
Cline / Continue.dev	Supported

Getting Started

Install the extension from the VS Code Marketplace.
When the welcome notification appears, click Set Up.
Enter your FossID server URL and API token.
Ask your AI assistant to scan your workspace, or run any FossID command directly from the Command Palette.

Credentials are stored in VS Code's built-in SecretStorage. They are never written to disk or any config file.

Commands

Command	Description
`FossID: Set Up`	First-run wizard — enter your server URL and token.
`FossID: Sign In`	Update stored credentials.
`FossID: Sign Out`	Clear credentials and stop the extension.
`FossID: Request Access`	Request a FossID server account.

Requirements

VS Code 1.99 or later
A valid FossID subscription (contact FossID)
A FossID server URL and API token

Support

For bug reports or feature requests, visit fossid.com/support.