O3 Security
Find security vulnerabilities, hardcoded secrets, and risky dependencies — directly in VS Code, as you type. Zero configuration. Fully local. No data ever leaves your machine.
Installation
- Open the Extensions view (
Ctrl+Shift+X / Cmd+Shift+X)
- Search for "O3 Security"
- Click Install
The extension activates automatically when you open any supported file.
Recommended: Install Git hooks to block vulnerable commits:
- Open Command Palette (
Ctrl+Shift+P / Cmd+Shift+P)
- Run O3 Security: Install Git Hooks
What It Detects
Security Vulnerabilities (SAST)
SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Traversal, Insecure Cryptography, Authentication Issues, Dangerous Functions, Deprecated APIs, and more.
Hardcoded Secrets
API Keys, Passwords, Database Credentials, Cloud Provider Keys (AWS, GCP, Azure), Access Tokens, Private Keys, and custom patterns via entropy analysis.
Dependency Vulnerabilities
Scans package.json, requirements.txt, go.mod, Cargo.lock, pom.xml, Gemfile.lock, composer.json, pubspec.lock, and more for known CVEs with CVSS scoring and auto-generated upgrade commands.
How It Works
O3 Security scans your code automatically after a short pause in typing (configurable, default 4 seconds). Issues appear as inline diagnostics:
- Red underline — High severity (critical vulnerabilities, exposed secrets)
- Yellow underline — Medium severity (potential security risks)
- Blue underline — Low / informational
Hover over any finding for severity badge, rule name, CWE/CVE references, CVSS scores, and remediation guidance.
Click the lightbulb for quick fixes:
- Copy upgrade command (for dependency vulnerabilities)
- Explain Vulnerability (detailed description with references)
- Ignore at occurrence, file, or workspace level
- Fix with AI (Claude, Copilot, or ChatGPT)
Click the O3 Security icon in the Activity Bar to access:
| View |
Description |
| Workspace Overview |
Aggregate security metrics across your project |
| Findings by File |
Hierarchical, file-grouped list of all issues |
| Dependency Vulnerabilities |
Package-level threats with upgrade commands |
| Statistics |
Scan performance, cache hit rates, timing data |
Git Hook Protection
Prevent vulnerabilities from reaching your repository.
Pre-Commit scans only staged files:
$ git commit -m "Add new feature"
Scanning 3 staged files...
src/api/users.js — OK
src/config.js — 1 issue found
SECURITY ISSUE DETECTED
File: src/config.js
Line 12: Hardcoded API key
Commit blocked. Fix the issue or bypass with: O3PASS=0 git commit
Pre-Push runs a full workspace scan before pushing.
Bypass for emergencies:
O3PASS=0 git commit -m "WIP: emergency fix"
Use bypass sparingly — only for work-in-progress commits, never for ignoring real security issues.
Settings
Open via Command Palette: O3 Security: Open Settings or search securityScanner in VS Code Settings.
Scanning
| Setting |
Default |
Description |
enableRealTimeScan |
true |
Automatic background scanning |
scanInterval |
4 |
Seconds to wait after typing stops (1-30) |
autoSaveBeforeScan |
false |
Auto-save file before scanning |
scanOnStartup |
false |
Scan open files when VS Code starts |
maxFileSize |
1024 |
Skip files larger than this (KB) |
enablePatternScanner |
true |
Enable SAST pattern analysis |
enableSecretScanner |
true |
Enable secret detection |
enableDependencyScanner |
true |
Enable dependency scanning |
Display & Notifications
| Setting |
Default |
Description |
severityFilter |
"all" |
Filter: all, high, high+medium, errors-only |
autoOpenSidebar |
true |
Auto-navigate to sidebar on high-severity findings |
showStatusBarItem |
true |
Show scan status in status bar |
enableNotifications |
true |
Desktop notifications for findings |
notificationDelay |
10 |
Seconds before showing accumulated notifications |
Git & Exclusions
| Setting |
Default |
Description |
blockCommitsWithVulnerabilities |
true |
Block commits when vulnerabilities detected |
excludePatterns |
["node_modules/**", "dist/**", "build/**", ...] |
Glob patterns to exclude |
logLevel |
"warn" |
Log verbosity: off, error, warn, info, debug |
AI Fixes
| Setting |
Default |
Description |
preferredAITool |
"" |
Default AI tool: claude, copilot, codex |
Commands
All available via Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
Scanning
| Command |
Description |
Scan Current File |
Scan the active editor file |
Scan Entire Workspace |
Full project scan |
Scan Dependencies |
Scan package manifests for CVEs |
Refresh Security Findings |
Refresh sidebar |
Clear Scan Cache |
Reset performance cache |
AI Fixes
| Command |
Description |
Show Fix Suggestions |
AI-generated fix recommendations |
Fix with AI |
Generate a fix using your preferred AI tool |
Change Preferred AI Tool |
Set default (Claude, Copilot, ChatGPT) |
Ignore Management
| Command |
Description |
Ignore This Occurrence |
Suppress a specific line finding |
Ignore Rule in This File |
Suppress a rule for the entire file |
Ignore Rule in Workspace |
Suppress a rule across all files |
Show Ignored Rules |
View all suppressed findings |
Clear All Ignored Rules |
Remove all ignores |
Git Hooks
| Command |
Description |
Install Git Hooks |
Set up pre-commit and pre-push hooks |
Uninstall Git Hooks |
Remove hooks |
Enable Git Hooks |
Re-enable disabled hooks |
Disable Git Hooks |
Temporarily pause hooks |
Git Hooks Status |
Check hook state |
Other
| Command |
Description |
Show Logs |
Open scanner output logs |
Open Settings |
Extension settings |
Login / Logout |
Authenticate with O3 backend |
Setup MCP Server |
Configure MCP for Copilot Chat |
Supported Languages
| Language |
Extensions |
Language |
Extensions |
| JavaScript |
.js, .jsx |
Swift |
.swift |
| TypeScript |
.ts, .tsx |
Kotlin |
.kt, .kts |
| Python |
.py, .pyw |
Rust |
.rs |
| Java |
.java |
Bash |
.sh |
| Go |
.go |
Solidity |
.sol |
| Ruby |
.rb |
Terraform |
.tf |
| PHP |
.php |
Docker |
Dockerfile |
| C/C++ |
.c, .cpp, .h, .hpp |
HTML |
.html |
| C# |
.cs |
Config |
.yaml, .yml, .json, .xml, .env |
| File Size |
First Scan |
Cached Scan |
| < 100 lines |
~150ms |
~5ms |
| 100-500 lines |
~300ms |
~5ms |
| 500-1000 lines |
~600ms |
~5ms |
| 1000+ lines |
~1.2s |
~5ms |
Cache hit rate: 85-95% during active development. Files over 1 MB are auto-excluded.
Troubleshooting
Extension not scanning?
- Verify the file type is supported
- Check status bar shows "O3 Security: Idle"
- Open Output panel: View > Output > O3 Security
- Restart VS Code
Git hooks not running?
- Verify Node.js is installed:
node --version
- Make hooks executable (macOS/Linux):
chmod +x .git/hooks/*
- Reinstall via Command Palette
False positives? Use the ignore system — right-click any finding in the sidebar or click the lightbulb in the editor.
Privacy
- 100% local — All scanning runs on your machine. No code is sent anywhere.
- No telemetry — Optional enterprise features require explicit opt-in.
- Secure storage — Auth tokens stored via VS Code's secure credential API.