Netallion AI Assurance
Governance for AI-powered development. See the AI providers, MCP servers, and AI extensions active in your editor the moment you install — then sign in to unlock the full secret, PII, and prompt-injection detection engine.
Built for VS Code, Cursor, and Windsurf.

Two ways to run
|
Local — no account |
Connected — sign in |
| AI provider inventory (SDK imports, endpoints, env vars) |
✅ |
✅ |
| MCP trust governance (server detection & classification) |
✅ |
✅ |
| AI extension inventory |
✅ |
✅ |
| Trust score in the status bar |
✅ |
✅ |
| Secret, PII & prompt-injection detection |
— |
✅ |
| Tenant-managed policies & fleet visibility |
— |
✅ |
Local mode works immediately with no account and never sends anything off your machine. The detection engine — 467 detection patterns with 20 live verifiers — is delivered to your editor over a signed, encrypted channel after you sign in, so the proprietary rules never ship inside the extension.
Getting started
The extension activates automatically on install. Open any project and look for the shield icon in the activity bar and your trust score in the status bar.
Out of the box you'll immediately see:
- Every AI SDK, API endpoint, and AI-related environment variable in your workspace
- MCP servers from your
.cursor/, .vscode/, and .claude/ config, classified by trust level with suspicious-indicator flagging
- Installed AI extensions, classified by risk
- A composite 0–100 trust score
Enable detection scanning
Secret, PII, and prompt-injection scanning requires the server-delivered rule corpus. To enable it:
- Run
Netallion: Sign In to Netallion from the Command Palette (Ctrl/Cmd+Shift+P)
- Confirm the platform URL (press Enter for the default
https://api.netallion.ai, or paste your self-hosted URL)
- A browser opens for OAuth device-code sign-in — approve, and detection activates
Don't have an account? Start a free trial at netallion.ai.
Commands
| Command |
Description |
Netallion: Scan Workspace |
Full workspace scan with progress (connected mode) |
Netallion: Scan Current File |
Scan the active editor (connected mode) |
Netallion: Show AI & MCP Inventory |
Open the inventory sidebar (works in local mode) |
Netallion: Sign In to Netallion |
Connect to your Netallion platform |
Netallion: Sign Out |
Disconnect |
What it detects
AI provider inventory (local)
Finds AI SDK usage across three signals — import signatures (import openai, from anthropic import, …), API endpoints (api.openai.com, generativelanguage.googleapis.com, …), and environment variables (OPENAI_API_KEY, …) — and classifies each provider by risk tier. Tenants can override classifications in connected mode.
MCP trust governance (local)
Monitors MCP configuration files in real time (.cursor/mcp.json, .vscode/mcp.json, .claude/mcp.json, project root, and user-level configs), classifies each server by trust level, and flags suspicious indicators — raw shell commands, eval/exec in arguments, network-fetch commands, disabled TLS verification, secrets in environment variables, and URLs used as commands.
AI extension inventory (local)
Identifies AI-related extensions installed in your editor, matched against a curated list (GitHub Copilot, Codeium, Tabnine, Cursor, Continue, and more) with heuristic classification for unknown extensions.
Trust score (local)
A composite 0–100 score in the status bar, weighted by finding severity and by the risk of your MCP servers, AI providers, and AI extensions. Color-coded: green (80+), yellow (50–79), red (below 50). Capped at the top findings by severity so a single bad file doesn't tank the score.
Secret, PII & prompt-injection detection (connected)
On sign-in, the extension loads the Netallion detection corpus and scans on save and on demand, with inline diagnostics, hover details, and quick fixes. It covers cloud and service credentials, AI provider keys, personally identifiable information (Luhn-validated where applicable), and prompt-risk patterns including system-prompt override, role hijacking, encoding evasion, jailbreak templates, and secrets or PII leaked into LLM prompts. Every match is confidence-scored, SHA-256 fingerprinted, and redacted to the first and last four characters.
The Netallion activity-bar icon opens four panels: Findings, MCP Servers, AI Providers, and AI Extensions.
Quick fixes
When a finding is detected, the lightbulb menu offers inline suppression (// netallion-ignore:RULE_ID, language-aware) and add to .netallionignore (project-level rule suppression).
Settings
Configure via Settings → Extensions → Netallion AI Assurance, or in settings.json:
{
"netallion.scanOnSave": true, // scan on save (connected mode)
"netallion.scanOnOpen": false, // scan on open
"netallion.enablePromptHints": true, // inline prompt-risk hints
"netallion.enableMcpWatcher": true, // watch MCP config files
"netallion.enableAiProviderDetection": true,// detect AI SDK usage
"netallion.serverUrl": "https://api.netallion.ai", // platform URL (empty = local-only)
"netallion.maxFindingsPerFile": 100
}
Privacy
- Local mode — all inventory and scoring runs entirely on your machine. Nothing leaves your editor.
- Connected mode — only metadata is synced (finding counts, rule IDs, trust scores, provider names). No source code, file contents, or secret values are ever transmitted. Secret matches are redacted and SHA-256 hashed before any reporting.
The detection corpus is delivered to the extension signed and encrypted, and is never written to the extension package or disk in plaintext.
Enterprise enrollment
For fleet deployment, provision a NETALLION_ENROLLMENT_TOKEN (environment variable or the extension's secret storage). The extension auto-enrolls on activation — no manual sign-in required. Connected mode syncs tenant-managed policies, metadata-only telemetry, and a connectivity heartbeat, and supports self-hosted and sovereign-cloud platform hosts via the netallion.allowedHosts setting.
Requirements
- VS Code 1.85.0 or later (also runs in Cursor and Windsurf)
- No additional dependencies — the extension is fully self-contained
License
Proprietary — © 2026 Netallion. All Rights Reserved. Licensed, not sold; use is governed by the LICENSE and any applicable subscription agreement. The detection rules, signatures, and models are confidential and may not be extracted, copied, or reused.