Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>NightVisionNew to Visual Studio Code? Get it now.
NightVision

NightVision

NightVision Security

|
224 installs
| (5) | Free
Test and exploit REST APIs and Web apps from your IDE.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

NightVision Visual Studio Code Extension

Leverage NightVision to document APIs, run DAST scans, and uncover vulnerabilities in both known and unknown endpoints!

VSCode Extension Installs-count

Getting Started

In order to use this extension you must have a NightVision account. Additionally, it will be required to install the NightVision CLI, that can be done either through this extension or manually. It is available for all platforms: Windows, Linux and MacOS.

Main page

If you have installed the NightVision CLI and logged in, you'll arrive at the main page, where you'll be presented with these options:

Main page
  1. API Discovery
  2. API and Web Security Testing
    • Configuring a project
    • Configuring a target
    • Configuring an authentication
    • Configuring a scan

API Discovery

The API Discovery helps you document and discover hidden endpoints in your APIs for a set of different languages such as Java, C# (.net), Python, JavaScript / TypeScript and Ruby. The process is straightforward:

  1. Provide the filepath to the root directory of your project to be scanned;
  2. Choose the language in which your API is written;
  3. Press the button to generate the OpenAPI specification for your project.

If successful, a new window in your VSCode will open with your API information and you can save it at your convenience.

As an example, we can use the javaspringvulny repository:

  1. Clone the repo: git clone https://github.com/vulnerable-apps/javaspringvulny.git
  2. Copy the filepath or select the parent folder;
  3. Select Java as the API language.

When generating the OpenAPI specification, you should see something similar to the image below:

API Discovery Example

API and Web Security Testing

Here you'll be able to configure and run DAST scans, discovering vulnerabilities in your system.

In order to execute a DAST scan, we must first have in place a project and a target. If you have authentication in your system, you may have to configure an authentication method as well.

Configuring a project

  1. Click on Create Project:

    Projects page
  2. Type your project name, e.g. Tutorial_test_project

    Projects page - Creating a project
  3. Select the project:

    Projects page - Selecting the project
  4. (Optional) Select your project from the list to see its information and see options to edit, delete or share your project with other users:

    Projects page - Project options

Configuring a target

Let's use the javaspringvulny repository for this example. The application can be started through Docker: docker-compose up -d; sleep 10.

Now, let's create our target.

  1. Click on Create Target:

    Targets page
  2. Select API Target, fill in the data, select the Swagger File or Postman Collection (see API Discovery section) and press the Create button:

    Targets page - API Target
  3. Once created, you may see it in the list of targets. You can click on a target to see its details:

    Targets page - list targets
  4. You can see the target details. By default, if no excluded URL patterns are provided, some default ones are applied:

    Targets page - details

Configuring an authentication

If your website or API is protected by an authentication, we can configure it so the security scan is able to access and reveal issues behind protected endpoints.

  1. Click on Create Authentication:

    Authentications page
  2. Select Playwright authentication and fill in the information as shown below. Make sure your app is running in the provided URL and press Create:

    Authentications page
  3. The browser and Playwright Inspector will show up. In the browser we perform actions, and Playwright will take notes of them to record our authentication. In the main page that shows up, let's click in Form Auth:

    Authentications page
  4. Provide the user user and the password password, and then click Submit:

    Authentications page
  5. After submitting, you'll see our authentication has been recorded:

    Authentications page
  6. Close the browser where the application is running to save the recordings. You should be able to see your new authentication being listed:

    Authentications page
  7. By clicking on it you can check its information:

    Authentications page

Configuring a scan

  1. Click on Scan APIs

    Scans page
  2. Configure your scan by selecting the project, target and authentication we created before, and press Start Scan:

    Scans page
  3. Your scan will start and it may take a few minutes to start showing discovered vulnerabilities:

    Scans page
  4. You can also check the existing scans' statuses in the main Scans page:

    Scans page
  5. Once it is done, you may check the discovered vulnerabilities:

    Scans page
  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2025 Microsoft