Mondoo Security for VS Code
Catch security issues while you write code, and verify that the infrastructure
you run is configured securely — all without leaving VS Code. The extension
brings Mondoo's two security scanners, xgrep and
cnspec, into the editor, along with AI assistance
that works with the language model you already have in VS Code.
What it does
The extension covers three sides of your security work, each with its own view
in the Mondoo sidebar:
🔍 Code security — find and fix issues as you type
Powered by xgrep, Mondoo's software development
security scanner.
- Live findings for vulnerabilities and leaked secrets appear in the editor
and the Problems panel the moment you open or edit a file — no account, no
configuration. The scanner installs automatically from npm on first use.
- Fix or dismiss in one click with Code Actions: apply the rule's fix, or
suppress a false positive with a reason that's recorded in a comment and holds
in CI too.
- Fix with AI, verified by xgrep — for findings without a mechanical fix,
your own language model authors the change from xgrep's fix contract and xgrep
verifies it (must parse, clear the finding, and add no new one) before you
approve it in a diff preview. No account; nothing is written until you accept.
- Workspace and changed-files scans for a full sweep or a quick pre-commit
check, with a live finding count in the status bar.
🛡️ Infrastructure security — check systems against policies
Powered by cnspec, Mondoo's infrastructure security
scanner, using MQL (Mondoo Query Language).
- Run policies and queries against your local machine, SSH hosts, Docker,
Kubernetes, and the major clouds (AWS, Azure, GCP) — with credentials kept in
your OS keychain, never in settings.
- A full policy authoring workbench: tree view, search, pins, and bulk
operations for your
.mql.yaml bundles.
- MQL language intelligence via the built-in cnspec language server —
diagnostics, completion, hover, quickfixes, go-to-definition, find references,
and CodeLens "Run Query" actions.
- Lint, format-on-save, and offline validation — queries compile locally
before they ever run against a target.
📦 Bill of materials — know what's inside
- SBOM (software bill of materials) for your source-code dependencies or the
packages on a running asset.
- AIBOM (AI bill of materials) inventorying the AI/ML models and agents in
scope.
- Standard formats — CycloneDX, SPDX, JSON — that drop straight into compliance
workflows and CI. Generation runs fully offline.
🤖 AI assistance
@mondoo chat participant — your conversational entry point to both
scanners, running on the language model already configured in VS Code (no
Mondoo account needed):
- Explain & triage findings (the default flow) — ask
@mondoo whether an
xgrep code finding or cnspec policy-lint finding is actually exploitable
here and how to fix it. The answer is enriched with xgrep's code graph (call
neighborhood and dataflow), and you can keep asking follow-up questions like
"how would an attacker exploit this?" or "show me the fix as a diff."
@mondoo /query — generate an MQL query from a natural-language
security check.
One-click explain — the Explain Finding (AI) Code Action on any xgrep
or cnspec-lint finding opens the same @mondoo triage chat pre-loaded with
that finding.
Language model tools — #cnspec runs scans and policy commands and
#mqlSchema looks up MQL providers, resources, and fields, both available to
agent mode and Copilot Chat.
AI agent skills for Claude Code — bring Mondoo's deeper analysis into your
agent:
- Mondoo Infrastructure Security: Install AI Skills adds the
mql and
policy-graph skills from the
cnspec repo for
writing MQL and navigating policy bundles.
- Mondoo Code Security: Install AI Skills adds xgrep's code-security
skills (inspect, rule authoring, triage) for working with code findings.
xgrep's analysis (code graph, symbol inspection, scanning) is also exposed to
AI coding agents over MCP — Copilot agent mode discovers it automatically.
Getting started
- Install the extension from the
Visual Studio Marketplace
or Open VSX.
- Open the Mondoo view in the Activity Bar, or run Get Started from the
Command Palette to launch the guided walkthroughs.
- Code security works immediately — open a file and findings appear as you
type. For infrastructure scanning, the extension detects
cnspec and guides you through installation if
it's missing.
The extension only runs in
trusted workspaces
because it executes the cnspec and xgrep binaries against workspace files.
Requirements
- Visual Studio Code 1.101 or later
- cnspec for infrastructure scanning
(auto-detected; the extension guides you through installation if it's missing)
- The xgrep code scanner installs automatically — no
setup needed
Getting help
| |