DevGuard IDE Plugin

Kubernetes YAML security scanner for VS Code, Cursor, and Amazon Kiro. Uses nctl for scanning, remediation, and AI-powered fix/explain.

Overview

Scan on save – Violations appear as squiggles; click for fixes
Policy contexts – Local baseline (offline) or Central (Nirmata Control Hub)
Fix – Safe defaults (nctl remediate) or AI (nctl ai); fix single violation or all
Explain – AI explanation of violations
Self-check – Validate nctl, auth, policy mode, and cache
Support bundle – Export sanitized debug bundle; Admin Help – in-IDE docs for platform teams

Prerequisites

nctl – Installation
VS Code 1.74+ / Cursor / Amazon Kiro

Usage

Open a Kubernetes YAML file
Save – DevGuard scans and shows violations
Click a violation → Fix with Safe Defaults, Fix with AI, or Explain
Optional: DevGuard: Run Self Check to verify setup; DevGuard: Export Support Bundle for debugging

Configuration

Setting	Default	Description
`devguard.nctlPath`	`nctl`	Path to nctl binary
`devguard.autoScanOnSave`	`true`	Scan on save
`devguard.scanDebounceMs`	`600`	Debounce (ms)
`devguard.k8sHeuristicsEnabled`	`true`	Only scan YAML that looks like K8s (apiVersion/kind)
`devguard.policySource`	`local`	`local` or `central`
`devguard.nchUrl`	``	Nirmata Control Hub URL (for central)
`devguard.defaultPolicyContext`	`Local Baseline`	Default context
`devguard.allowedPolicyContexts`	`[]`	Allowed contexts (regex supported)
`devguard.policyCacheTtlMinutes`	`60`	TTL for cached central contexts
`devguard.allowLocalFallback`	`true`	Allow local policies when central is set but not logged in
`devguard.localAuditLogEnabled`	`false`	JSONL audit log (scan/fix/explain) in globalStorageUri/audit/

Commands: DevGuard: Scan Current File · DevGuard: Select Policy Context · DevGuard: Login to NCH · DevGuard: Update Token · DevGuard: Logout · DevGuard: Fix with Safe Defaults · DevGuard: Fix with AI · DevGuard: Fix All with Safe Defaults · DevGuard: Fix All with AI · DevGuard: Explain Violation · DevGuard: Run Self Check · DevGuard: Export Support Bundle · DevGuard: Show Admin Help

Policy modes: Local = offline, no login. Central = NCH, requires login; supports RBAC.

License & support

License: Apache-2.0
Documentation · Nirmata Support

Nirmata DevGuard