Guvnor Cloud for VS Code

AI-powered security + Terraform copilot. Triage CVEs, auto-patch misconfigurations, and open pull requests — all inside VS Code.

Guvnor unifies the work that's spread across Snyk, Prisma Cloud, Wiz, Dependabot, and Copilot Autofix today. One panel, one brain, one place to go from "here's a finding" to "here's the merged PR."

What it does

Triage security findings inline

Open the Security Findings panel (activity bar → Guvnor → Findings, or Guvnor: Show Security Findings) and see every active finding for your connected accounts and repositories — CSPM posture checks, CVEs, IaC scans, secret leaks, and SAST results — in one filterable table.

Click any row to see the details, then Analyze with AI to generate an explanation and a concrete patch (Terraform, package.json, whatever the finding touches). Review the diff, hit Create PR, and Guvnor commits the branch and opens the pull request in your connected repo.

For dependency CVEs, Recheck re-validates the current lockfile without re-running the full scan — useful when you've already upgraded but the finding is still shown as open.

Exception management

Not every finding needs a fix. Use the inline exception form to file a false-positive, acceptable-risk, or vendor-delay exception with justification, scope (check / resource / service), and expiry.

When the AI analysis determines a finding genuinely doesn't need remediation (can_remediate: false), Guvnor automatically files a 1-year false-positive exception using the AI's explanation as justification. You can still convert it to a permanent scope or add details later on the dashboard.

Inline Terraform suggestions

While you write .tf files, Guvnor flags a short list of high-impact anti-patterns as you type — no need to run a scan:

cidr_blocks = ["0.0.0.0/0"] and IPv6 ::/0 ingress
Public S3 ACLs (public-read, public-read-write, authenticated-read)
publicly_accessible = true on RDS
map_public_ip_on_launch = true
Wildcard IAM Action or Principal ("*")
force_destroy = true on buckets
skip_final_snapshot = true on databases

Each one shows as a squiggle, a Quick Fix lightbulb with a one-click safe replacement, and ghost-text suggestion at the cursor. Tab to accept. Session-scoped "Ignore on this line" is available as a second Quick Fix.

Chat with the `@guvnor` participant

Open VS Code Chat and mention @guvnor:

@guvnor /fix CVE-2025-29927 — runs the AI analysis against a matching active finding and streams the explanation plus the proposed patch diffs. A link at the bottom jumps to the findings panel focused on that row for PR creation.
@guvnor /drift — lists drifted resources and suggests fixes.
@guvnor /review — reviews the current Terraform file against AWS Well-Architected best practices.
@guvnor /import — generates Terraform import blocks for unmanaged AWS resources.
@guvnor /explain — explains the infrastructure topology and resource relationships.

Resource intelligence

The Resources sidebar shows every AWS resource in the connected account, grouped by managed (in Terraform, no drift), drifted (in Terraform, state diverged), and unmanaged (live but not in code). Click any resource to see its live config, Terraform mapping, and drift diff. Gutter decorations, CodeLens, and hover info surface the same mapping data inline in .tf files. The status bar shows current coverage percentage and drift count at a glance.

Getting started

Install the extension.
Open a workspace containing Terraform files (or any repo — the findings panel works either way).
Sign in: the extension prompts you on first activation, or run Guvnor: Login from the command palette. The flow is a standard device-auth redirect — no API keys to paste.
Connect at least one AWS account and one GitHub repository at guvnor.cloud/settings/connections. The extension reflects that same account's data.

Commands

Command	What it does
`Guvnor: Login` / `Guvnor: Logout`	Device-auth flow, token stored in VS Code secret storage
`Guvnor: Show Security Findings`	Opens the main findings panel
`Guvnor: Refresh Security Findings`	Reloads findings after a backend scan or manual change
`Guvnor: Create Pull Request`	Alias that opens the findings panel (PR creation is per-finding)
`Guvnor: Refresh Resources`	Reloads the reconciliation data (managed / drifted / unmanaged)
`Guvnor: Show Resource Detail`	Opens the resource detail panel for a given ARN
`Guvnor: Open AI Chat` (`Ctrl/Cmd+Shift+G`)	Opens the `@guvnor` chat panel
`Ask Guvnor AI about this`	Right-click a selection in any file to ask the AI about it

Configuration

Setting	Default	Purpose
`guvnor.apiUrl`	`https://stackstudio.guvnor.cloud`	StackStudio (AI + RAG) endpoint
`guvnor.backendUrl`	`https://api.guvnor.cloud`	Main Guvnor backend (findings, fixes, exceptions)

Both defaults are correct for the managed Guvnor Cloud service. Change them only if you're on a self-hosted or staging deployment.

Privacy

Your authentication token is stored in VS Code's platform-native secret store (Keychain / Credential Manager / libsecret).
Active editor content, selections, and file references included in a chat request are sent to the Guvnor backend only while processing that request, and only when you explicitly invoke the chat participant.
The inline Terraform suggestions are evaluated locally in the extension against a static regex allowlist — they do not call any backend.
Findings, analysis, and patch generation happen on the Guvnor backend; no proprietary telemetry is collected by this extension beyond what your Guvnor account already tracks on guvnor.cloud.

Support

Issues and feature requests: github.com/guvnorcloud/vscode-extension/issues
Documentation: guvnor.cloud/docs
Email: support@guvnor.cloud

Guvnor Cloud