🛡️ Security Checker Agent
AI-powered security analysis extension for VS Code with MCP Security Checker that detects vulnerabilities using OWASP Top 10 + OWASP LLM Top 10 guidelines
Security Checker Agent is a comprehensive VS Code extension that automatically analyzes your code for security vulnerabilities based on the OWASP Top 10 security risks and includes a specialized MCP Security Checker for Model Context Protocol implementations. It provides real-time security analysis, actionable suggestions, and integrates seamlessly with GitHub Copilot.
✨ Key Features
🤖 MCP Security Checker ⭐ NEW ⭐
- Automatic MCP Detection: Automatically scans workspace for Model Context Protocol servers
- 10 Critical MCP Vulnerabilities: Comprehensive analysis of MCP-specific security threats
- 🔸 Prompt Injection
- 🔸 Tool Poisoning
- 🔸 Dynamic Tool Changes
- 🔸 Misconfigured Authentication & Authorization
- 🔸 Excessive Permissions
- 🔸 Indirect Prompt Injections
- 🔸 Session Hijacking
- 🔸 Confused Deputy Problem
- 🔸 Token Passthrough Vulnerabilities
- 🔸 Supply Chain Vulnerabilities
- OWASP LLM Top 10 Integration: Analysis against OWASP LLM security guidelines
- Interactive Animations: Beautiful scanning animations with real-time progress
- Detailed Reporting: Comprehensive MCP security reports with recommendations
🔍 Comprehensive Security Analysis
- Multi-language support: JavaScript, TypeScript, Python, Java, C#, PHP, Ruby, Go, C/C++, Vue.js, Rust, Kotlin
- OWASP Top 10 coverage: All 10 categories with 70+ security rules
- Modern frameworks: React, Vue.js, Angular specific vulnerability detection
- API security: GraphQL, REST API, CORS vulnerability scanning
- Cloud security: AWS, Docker, container security patterns
- AST-based analysis: Deep code understanding beyond simple pattern matching
- Real-time detection: Instant feedback as you code
🤖 GitHub Copilot Integration
Chat with the security agent using natural language:
@security-checker-agent audit # Analyze entire workspace
@security-checker-agent check # Analyze current file
@security-checker-agent mcp # Scan for MCP security issues
@security-checker-agent learn XSS # Learn about security topics
@security-checker-agent fix SQL # Get specific fix suggestions
@security-checker-agent help # Get help and commands
📊 Interactive Security Reports
- Security scoring: 0-100 rating based on vulnerability severity
- Visual dashboards: HTML reports with vulnerability breakdowns
- MCP-specific reports: Dedicated reporting for MCP security analysis
- Tree view navigation: Organized by OWASP categories
- Inline diagnostics: VS Code Problems panel integration
- Knowledge base: Interactive learning with examples and fixes
🎓 Learning Dashboard
- Interactive security education: Dedicated learning center with guided tutorials
- MCP Security Learning: Specialized learning modules for MCP security best practices
- Knowledge base access: Quick access to 7+ security topics with examples
- Learning statistics: Track your security education progress
- One-click learning: Start interactive sessions directly from dashboard
- GitHub Copilot integration: Seamless transition to chat-based learning
- Visual learning resources: Color-coded interface with progress tracking
⚡ Smart Analysis Engine
- Pattern matching: Regex-based vulnerability detection
- Data flow analysis: Track tainted variables through code
- Context awareness: Reduces false positives with AST analysis
- Framework-specific rules: Tailored detection for React, Vue, Angular
- Configurable rules: Enable/disable specific security checks
- Performance optimized: Non-blocking background analysis
🏆 OWASP Top 10 Security Coverage
| Category |
Description |
Examples Detected |
| A01: Broken Access Control |
Authorization flaws |
Hardcoded roles, missing auth checks |
| A02: Cryptographic Failures |
Weak crypto implementation |
MD5/SHA1 usage, hardcoded secrets |
| A03: Injection |
Code injection vulnerabilities |
SQL injection, command injection, XSS |
| A04: Insecure Design |
Security design flaws |
Missing input validation, weak architecture |
| A05: Security Misconfiguration |
Insecure configurations |
Debug mode enabled, default passwords |
| A06: Vulnerable Components |
Outdated dependencies |
Known vulnerable packages |
| A07: Authentication Failures |
Auth implementation issues |
Weak passwords, session management |
| A08: Data Integrity Failures |
Data validation issues |
Unsafe deserialization, tampering |
| A09: Logging/Monitoring Failures |
Insufficient logging |
Missing security event logs |
| A10: Server-Side Request Forgery |
SSRF vulnerabilities |
Unvalidated URL requests |
🎯 Modern Framework Security
React Security Patterns
- dangerouslySetInnerHTML XSS: Detects unsafe HTML injection in React components
- href XSS vulnerabilities: Identifies dynamic href attributes that can lead to XSS
- State mutation issues: Catches direct state modifications that bypass React's update cycle
Vue.js Security Patterns
- v-html XSS risks: Detects unsafe use of v-html directive with user input
- Template injection: Identifies dynamic template compilation vulnerabilities
Angular Security Patterns
- innerHTML XSS: Catches unsafe innerHTML binding with user data
- Trust bypass issues: Detects misuse of Angular's security bypass methods
API Security Patterns
- GraphQL vulnerabilities: Query complexity attacks, injection risks
- CORS misconfigurations: Overly permissive cross-origin policies
- Rate limiting gaps: Missing rate limiting on API endpoints
- JWT security issues: Weak secrets, missing verification
Cloud Security Patterns
- AWS S3 misconfigurations: Public bucket access, insecure policies
- Docker security: Root user containers, exposed secrets
- Lambda security: Environment variable exposure, privilege escalation
� Getting Started
Installation
- Install from the VS Code Marketplace
- Open any workspace with code files
- The extension activates automatically
Quick Usage
1. Analyze Your Workspace
- Command Palette:
Security Checker: Audit Workspace
- Chat Command:
@security-checker-agent audit
2. Check Current File
- Command Palette:
Security Checker: Audit Current File
- Chat Command:
@security-checker-agent check
3. View Security Report
- Command Palette:
Security Checker: Show Security Report
- Click on vulnerabilities in the Problems panel
4. Navigate Vulnerabilities
- Use the Security Analysis tree view in the Explorer
- Click on any vulnerability to jump to the code location
5. Access Learning Dashboard
- Command Palette:
Security Checker: Show Dashboard
- Click "Start Learning" in the Learning Center card
- Access Knowledge Base for topic-specific education
- Track your learning progress with built-in statistics
6. Interactive Learning
- Chat Commands:
@security learn sql-injection - Learn about SQL injection@security learn xss - XSS prevention techniques@security learn authentication - Authentication security
- Dashboard Features:
- One-click learning mode activation
- Quick access to 7+ security topics
- Visual progress tracking
⚙️ Configuration
Customize the extension behavior in VS Code settings:
{
"securityChecker.enableRealTimeAnalysis": true,
"securityChecker.riskThreshold": "medium",
"securityChecker.enabledRules": [
"injection",
"broken-auth",
"sensitive-data",
"xxe",
"broken-access",
"security-config",
"xss",
"insecure-deserialization",
"vulnerable-components",
"logging-monitoring"
]
}
Configuration Options
| Setting |
Type |
Default |
Description |
enableRealTimeAnalysis |
boolean |
true |
Enable automatic analysis on file changes |
riskThreshold |
string |
"medium" |
Minimum risk level to display (low, medium, high) |
enabledRules |
array |
All rules |
Specific OWASP categories to check |
📋 Example Detections
❌ Vulnerable Code
// A02: Hardcoded Secret
const API_KEY = 'sk-1234567890abcdef';
// A03: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// A01: Hardcoded Role
const user = { role: 'admin' };
// A03: Command Injection
exec('ls -la ' + userInput);
// React XSS
<div dangerouslySetInnerHTML={{__html: userInput}} />
// Vue.js XSS
<div v-html="userContent"></div>
// GraphQL Injection
const query = `{ user(id: "${req.params.id}") { name } }`;
// JWT Security Issues
const token = jwt.decode(userToken); // No verification
const secret = 'weak-secret'; // Weak secret
✅ Secure Code (Recommended)
// A02: Environment Variable
const API_KEY = process.env.API_KEY;
// A03: Parameterized Query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
// A01: Dynamic Role Check
const userRole = await getUserRole(userId);
// A03: Safe Command Execution
execFile('ls', ['-la', sanitizedInput]);
// React Security
<div>{userInput}</div> // Auto-escaped
<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />
// Vue.js Security
<div>{{ userContent }}</div> // Auto-escaped
// GraphQL Security
const query = 'query($id: ID!) { user(id: $id) { name } }';
graphql(schema, query, null, null, { id: userId });
// JWT Security
const decoded = jwt.verify(token, strongSecret); // Proper verification
const secret = crypto.randomBytes(64).toString('hex'); // Strong secret
🔧 Commands
| Command |
Description |
Keybinding |
Security Checker: Audit Workspace |
Analyze all files in workspace |
|
Security Checker: Audit Current File |
Analyze currently open file |
|
Security Checker: Show Security Report |
Display detailed HTML report |
|
Security Checker: Clear Diagnostics |
Clear all security diagnostics |
|
📊 Security Scoring
The extension calculates a security score from 0-100 based on detected vulnerabilities:
- Critical: -20 points each 🚨
- High: -10 points each ⚠️
- Medium: -5 points each 💛
- Low: -2 points each ℹ️
Score Levels
- 90-100: 🟢 Excellent - Highly secure code
- 70-89: 🔵 Good - Minor security improvements needed
- 50-69: 🟡 Fair - Several security issues to address
- 30-49: 🟠 Poor - Significant security vulnerabilities
- 0-29: 🔴 Critical - Immediate security attention required
🎯 Supported Languages
| Language |
File Extensions |
Analysis Type |
| JavaScript |
.js, .jsx |
AST + Pattern |
| TypeScript |
.ts, .tsx |
AST + Pattern |
| Vue.js |
.vue |
Pattern |
| Python |
.py |
Pattern |
| Java |
.java |
Pattern |
| C# |
.cs |
Pattern |
| PHP |
.php |
Pattern |
| Ruby |
.rb |
Pattern |
| Go |
.go |
Pattern |
| C/C++ |
.c, .cpp |
Pattern |
| Rust |
.rs |
Pattern |
| Kotlin |
.kt |
Pattern |
| Docker |
Dockerfile |
Pattern |
| YAML/JSON |
.yaml, .json |
Pattern |
🤝 Contributing
We welcome and encourage contributions from the community! Whether you're fixing bugs, adding new features, improving documentation, or suggesting security rules, your help makes this extension better for everyone.
Ways to Contribute
- 🐛 Report Bugs: Found an issue? Create a bug report
- ✨ Request Features: Have an idea? Submit a feature request
- 🛡️ Suggest Security Rules: Propose new OWASP rules or improvements
- 📝 Improve Documentation: Help make our docs clearer and more comprehensive
- 💻 Code Contributions: Submit pull requests for bug fixes or new features
Getting Started for Contributors
- Fork the repository on GitHub
- Clone your fork locally:
git clone https://github.com/YOUR_USERNAME/security-checker-agent.git
cd security-checker-agent
- Install dependencies:
npm install
- Create a feature branch:
git checkout -b feature/your-feature-name
- Make your changes and test thoroughly
- Commit with clear, descriptive messages:
git commit -m "Add: New OWASP rule for detecting XSS vulnerabilities"
- Push to your fork and create a pull request
Development Setup
# Install dependencies
npm install
# Build the extension
npm run build
# Watch for changes during development
npm run watch
# Run tests
npm test
# Package the extension
npm run package
# Lint code
npm run lint
Coding Guidelines
- Follow TypeScript best practices
- Add tests for new security rules
- Update documentation for new features
- Ensure all tests pass before submitting PR
- Follow the existing code style and patterns
Pull Request Process
- Ensure your PR description clearly describes the problem and solution
- Include the relevant issue number if applicable
- Make sure all tests pass and no linting errors exist
- Update the README.md if you change functionality
- Your PR will be reviewed by maintainers before merging
🐛 Reporting Bugs
If you encounter any bugs or issues, please help us improve by reporting them:
Before Reporting
- Check if the issue already exists in GitHub Issues
- Make sure you're using the latest version of the extension
- Try reproducing the issue in a clean environment
How to Report
Use our Bug Report Template: Create Bug Report
Please include:
- Clear description of the bug
- Steps to reproduce the issue
- Expected vs actual behavior
- Screenshots or error messages
- Your environment details (VS Code version, OS, etc.)
- Sample code that triggers the issue
✨ Feature Requests
Have an idea to make Security Checker Agent even better? We'd love to hear it!
Request a Feature
Use our Feature Request Template: Request Feature
Please include:
- Clear description of the requested feature
- Use case or problem it solves
- Proposed solution or implementation ideas
- Any additional context or examples
Popular Feature Requests
- Additional language support
- Custom security rule creation
- Integration with other security tools
- Advanced reporting features
- Team collaboration features
📚 Resources
🆘 Support
📄 License
This project is licensed under a Custom License - see the LICENSE.md file for details.
TL;DR: Free to use, study, and contribute. Cannot be republished or commercially redistributed without permission.
🌟 Acknowledgments
- OWASP Foundation for security guidelines and best practices
- VS Code Team for the excellent extensibility platform
- GitHub Copilot for AI integration capabilities
- Security Community for continuous vulnerability research and feedback
🚀 Follow Me
Stay updated with the latest news, releases, and tips:
Join our community and never miss an update!
🛡️ Developed with getasyntax by Nisal Gunawardhana (@nisalgunawardhana)
Making secure coding accessible to everyone
Star ⭐ this project on GitHub if it helps you write more secure code!
