KoraSafe Governance for VS Code

AI governance checks that run in your editor, on every save. Flags the stuff that blocks a regulated launch: leaked secrets, PII in prompts, LLM calls without error handling, destructive actions without a human-in-the-loop gate.

Part of KoraSafe, the AI governance intelligence platform.

What it catches

Seven rule classes run locally with zero network round-trip:

Secrets. Anthropic, OpenAI, AWS, GitHub, Slack, JWT tokens, and hardcoded password / api_key style credentials.
PII. Social security numbers, credit card numbers, emails, phone numbers in code literals.
LLM calls. Direct SDK calls to Anthropic, OpenAI, Bedrock, Vertex, and generic client.invoke / model.generate patterns.
Destructive actions. execute(), database .delete(), deploys, file writes, network .send() patterns.
Missing human-in-the-loop gates. Flags destructive actions that ship without an approval or consent path nearby.
Missing error handling. LLM calls outside a try/catch or a withErrorHandling wrapper.
Missing rate limits. API endpoints that hit an LLM without any rate-limit primitive in scope.

Optional cloud checks can layer on regulatory mapping (EU AI Act, GDPR, NIST AI RMF) when you add an API key.

Install

Search "KoraSafe" in the VS Code Extensions panel, or:

code --install-extension korasafe.korasafe

Works in VS Code 1.85+. Activates on JavaScript, TypeScript, Python, Go, JSX, and TSX files.

Use it

Diagnostics on save. Squiggles appear on findings. Hover for regulation mapping and severity.
Sidebar. Click the shield icon in the activity bar. Findings group by severity. Click to jump to the line.
Commands (Cmd+Shift+P → type "KoraSafe"):
- KoraSafe: Scan current file
- KoraSafe: Scan workspace
- KoraSafe: Show governance panel
- KoraSafe: Clear all diagnostics
- KoraSafe: Set API key (stores in VS Code SecretStorage, backed by OS keychain)

Configuration

Setting	Default	What it does
`korasafe.apiUrl`	`https://korasafe.ai`	KoraSafe API base URL
`korasafe.enableCloudChecks`	`false`	Layer regulation mapping on top of local rules. Needs an API key.
`korasafe.scanOnSave`	`true`	Re-scan every time you save
`korasafe.severityThreshold`	`low`	Minimum severity to surface in diagnostics

Local vs. cloud

Everything ships working out of the box. Local checks run instantly, never send code anywhere, and catch the high-signal patterns above. The cloud mode is opt-in: set an API key and it adds regulation mapping, dependency CVE checks, and workspace-level audit runs via the KoraSafe platform.

Privacy

Local rules run entirely in the extension host. No telemetry. No code leaves your machine.
Cloud mode (when explicitly enabled) sends only the file contents you ask to audit, over TLS, authenticated with your API key. API key is stored in VS Code SecretStorage, which routes to the OS keychain.

Support

Platform docs: https://korasafe.ai
Report a bug: contact-us@korasafe.ai