Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>O3 SecurityNew to Visual Studio Code? Get it now.
O3 Security

O3 Security

O3 Security

|
24 installs
| (0) | Free
Find security vulnerabilities, hardcoded secrets, and risky dependencies as you code. Zero config, real-time, local-only.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

O3 Security

Find security vulnerabilities, hardcoded secrets, and risky dependencies — directly in VS Code, as you type. Zero configuration. Fully local. No data ever leaves your machine.

Installation

  1. Open the Extensions view (Ctrl+Shift+X / Cmd+Shift+X)
  2. Search for "O3 Security"
  3. Click Install

The extension activates automatically when you open any supported file.

Recommended: Install Git hooks to block vulnerable commits:

  1. Open Command Palette (Ctrl+Shift+P / Cmd+Shift+P)
  2. Run O3 Security: Install Git Hooks

What It Detects

Security Vulnerabilities (SAST)

SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Traversal, Insecure Cryptography, Authentication Issues, Dangerous Functions, Deprecated APIs, and more.

Hardcoded Secrets

API Keys, Passwords, Database Credentials, Cloud Provider Keys (AWS, GCP, Azure), Access Tokens, Private Keys, and custom patterns via entropy analysis.

Dependency Vulnerabilities

Scans package.json, requirements.txt, go.mod, Cargo.lock, pom.xml, Gemfile.lock, composer.json, pubspec.lock, and more for known CVEs with CVSS scoring and auto-generated upgrade commands.


How It Works

O3 Security scans your code automatically after a short pause in typing (configurable, default 4 seconds). Issues appear as inline diagnostics:

  • Red underline — High severity (critical vulnerabilities, exposed secrets)
  • Yellow underline — Medium severity (potential security risks)
  • Blue underline — Low / informational

Hover over any finding for severity badge, rule name, CWE/CVE references, CVSS scores, and remediation guidance.

Click the lightbulb for quick fixes:

  • Copy upgrade command (for dependency vulnerabilities)
  • Explain Vulnerability (detailed description with references)
  • Ignore at occurrence, file, or workspace level
  • Fix with AI (Claude, Copilot, or ChatGPT)

Sidebar Views

Click the O3 Security icon in the Activity Bar to access:

View Description
Workspace Overview Aggregate security metrics across your project
Findings by File Hierarchical, file-grouped list of all issues
Dependency Vulnerabilities Package-level threats with upgrade commands
Statistics Scan performance, cache hit rates, timing data

Git Hook Protection

Prevent vulnerabilities from reaching your repository.

Pre-Commit scans only staged files:

$ git commit -m "Add new feature"

Scanning 3 staged files...
  src/api/users.js — OK
  src/config.js — 1 issue found

SECURITY ISSUE DETECTED
File: src/config.js
Line 12: Hardcoded API key

Commit blocked. Fix the issue or bypass with: O3PASS=0 git commit

Pre-Push runs a full workspace scan before pushing.

Bypass for emergencies:

O3PASS=0 git commit -m "WIP: emergency fix"

Use bypass sparingly — only for work-in-progress commits, never for ignoring real security issues.


Settings

Open via Command Palette: O3 Security: Open Settings or search securityScanner in VS Code Settings.

Scanning

Setting Default Description
enableRealTimeScan true Automatic background scanning
scanInterval 4 Seconds to wait after typing stops (1-30)
autoSaveBeforeScan false Auto-save file before scanning
scanOnStartup false Scan open files when VS Code starts
maxFileSize 1024 Skip files larger than this (KB)
enablePatternScanner true Enable SAST pattern analysis
enableSecretScanner true Enable secret detection
enableDependencyScanner true Enable dependency scanning

Display & Notifications

Setting Default Description
severityFilter "all" Filter: all, high, high+medium, errors-only
autoOpenSidebar true Auto-navigate to sidebar on high-severity findings
showStatusBarItem true Show scan status in status bar
enableNotifications true Desktop notifications for findings
notificationDelay 10 Seconds before showing accumulated notifications

Git & Exclusions

Setting Default Description
blockCommitsWithVulnerabilities true Block commits when vulnerabilities detected
excludePatterns ["node_modules/**", "dist/**", "build/**", ...] Glob patterns to exclude
logLevel "warn" Log verbosity: off, error, warn, info, debug

AI Fixes

Setting Default Description
preferredAITool "" Default AI tool: claude, copilot, codex

Commands

All available via Command Palette (Ctrl+Shift+P / Cmd+Shift+P):

Scanning

Command Description
Scan Current File Scan the active editor file
Scan Entire Workspace Full project scan
Scan Dependencies Scan package manifests for CVEs
Refresh Security Findings Refresh sidebar
Clear Scan Cache Reset performance cache

AI Fixes

Command Description
Show Fix Suggestions AI-generated fix recommendations
Fix with AI Generate a fix using your preferred AI tool
Change Preferred AI Tool Set default (Claude, Copilot, ChatGPT)

Ignore Management

Command Description
Ignore This Occurrence Suppress a specific line finding
Ignore Rule in This File Suppress a rule for the entire file
Ignore Rule in Workspace Suppress a rule across all files
Show Ignored Rules View all suppressed findings
Clear All Ignored Rules Remove all ignores

Git Hooks

Command Description
Install Git Hooks Set up pre-commit and pre-push hooks
Uninstall Git Hooks Remove hooks
Enable Git Hooks Re-enable disabled hooks
Disable Git Hooks Temporarily pause hooks
Git Hooks Status Check hook state

Other

Command Description
Show Logs Open scanner output logs
Open Settings Extension settings
Login / Logout Authenticate with O3 backend
Setup MCP Server Configure MCP for Copilot Chat

Supported Languages

Language Extensions Language Extensions
JavaScript .js, .jsx Swift .swift
TypeScript .ts, .tsx Kotlin .kt, .kts
Python .py, .pyw Rust .rs
Java .java Bash .sh
Go .go Solidity .sol
Ruby .rb Terraform .tf
PHP .php Docker Dockerfile
C/C++ .c, .cpp, .h, .hpp HTML .html
C# .cs Config .yaml, .yml, .json, .xml, .env

Performance

File Size First Scan Cached Scan
< 100 lines ~150ms ~5ms
100-500 lines ~300ms ~5ms
500-1000 lines ~600ms ~5ms
1000+ lines ~1.2s ~5ms

Cache hit rate: 85-95% during active development. Files over 1 MB are auto-excluded.


Troubleshooting

Extension not scanning?

  1. Verify the file type is supported
  2. Check status bar shows "O3 Security: Idle"
  3. Open Output panel: View > Output > O3 Security
  4. Restart VS Code

Git hooks not running?

  1. Verify Node.js is installed: node --version
  2. Make hooks executable (macOS/Linux): chmod +x .git/hooks/*
  3. Reinstall via Command Palette

False positives? Use the ignore system — right-click any finding in the sidebar or click the lightbulb in the editor.


Privacy

  • 100% local — All scanning runs on your machine. No code is sent anywhere.
  • No telemetry — Optional enterprise features require explicit opt-in.
  • Secure storage — Auth tokens stored via VS Code's secure credential API.
  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft