SentinelCore

SentinelCore is a security + AI-risk intelligence platform for developers inside VS Code.

It brings vulnerable dependency intelligence, trust scoring, hotspot detection, code-quality analysis, AI-code heuristics, diagnostics, decorations, a TreeView, status bar summaries, and a generated Markdown report into one editor workflow.

Author: Jabes Fuentes

Key Features

• Dependency vulnerability intelligence using NVD CVE, GitHub Security Advisories, and OSS Index.
• Trust scoring for projects and files, with hotspot ranking and technical debt estimates.
• Multi-language static analysis for JavaScript, TypeScript, Python, PHP, and basic HTML.
• Live diagnostics while editing, with configurable debounce behavior.
• Risk-aware TreeView grouped by hotspots, AI risk, security, maintainability, dependency health, and vulnerabilities.
• Markdown reports with executive summaries, recommendations, risky files, violated rules, trust score, technical debt, and vulnerability details.
• AI-code heuristics without sending source code to external AI APIs.

Supported Languages

• JavaScript
• TypeScript
• Python
• PHP
• HTML basic checks

Running a Scan

Open the SentinelCore sidebar and select SentinelCore: Scan, or run the command from the Command Palette:

SentinelCore: Scan

After scanning, SentinelCore updates:

• Problems diagnostics
• editor decorations
• sidebar results
• status bar risk summary
• sentinelcore-report.md

Build and Package

Install dependencies:

pnpm install

Run validation:

pnpm run check-types
pnpm run lint
pnpm run compile

Create a local VSIX package:

pnpm run package:vsix

Install the packaged beta locally:

code --install-extension sentinelcore-security-0.1.7.vsix

Uninstall the local extension:

code --uninstall-extension jabesxfuentes.sentinelcore-security

After installing, open the Command Palette and run:

SentinelCore: Scan

Screenshots

Screenshots will be added to the Marketplace listing separately from the production VSIX package.

Marketplace icon note: the extension ships with a 128x128 PNG icon at resources/icon.png for packaging. Keep resources/icon.svg as the source vector asset and regenerate the PNG if the icon changes.

Settings

SentinelCore contributes these settings:

• sentinelcore.enableLiveAnalysis
• sentinelcore.enableVulnerabilityScan
• sentinelcore.enableNvd
• sentinelcore.enableGhsa
• sentinelcore.enableOssIndex
• sentinelcore.enableDependencyHealth
• sentinelcore.enableTyposquattingChecks
• sentinelcore.exclude
• sentinelcore.maxFileSizeKb
• sentinelcore.maxDependencyAgeMonths
• sentinelcore.scanOnSave
• sentinelcore.reportFormat

Free and Future Premium

The current beta is focused on local static analysis, vulnerability intelligence, and editor UX.

Future premium features may add richer AI explanations, guided remediation, and team workflows. The current version does not call OpenAI or other AI APIs.

Privacy

SentinelCore does not send source code to AI APIs in the current version.

When vulnerability scanning is enabled, dependency package names and versions may be queried against external vulnerability sources:

• NVD CVE API
• GitHub Security Advisories API
• OSS Index

These integrations can be disabled in settings.

Known Limitations

• Static analysis is heuristic-based and may produce false positives.
• Heuristic detections may produce false positives and should be reviewed by a developer.
• Python, PHP, and HTML analyzers are intentionally lightweight in this beta.
• CVE matching for npm packages is best-effort when advisory metadata lacks precise version ranges.
• Vulnerability feeds depend on third-party availability and may run in degraded mode.
• AI detection is heuristic only; no AI API is used yet.
• No automatic code modifications are performed yet.
• Report output is currently Markdown only.
• PDF and pro reporting are planned for a future premium version.

License

TODO