O3 Security - Real-Time Security Scanner for VS Code
O3 Security is a professional VS Code extension that provides real-time security scanning directly in your IDE. Detect vulnerabilities, hardcoded secrets, and security issues as you write code.
Key Features
- Real-time Detection - Instant feedback as you code
- Multi-Language Support - Works with 15+ programming languages
- Git Integration - Block vulnerable commits and pushes automatically
- Smart Caching - Fast scans with intelligent performance optimization
- Ignore Management - Flexible suppression system for false positives
- Zero Configuration - Works immediately after installation
What It Detects
Security Vulnerabilities:
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- Path Traversal
- Insecure Cryptography
- Authentication Issues
Hardcoded Secrets:
- API Keys
- Passwords
- Database Credentials
- Cloud Provider Keys
- Access Tokens
- Private Keys
Code Quality Issues:
- Dangerous Functions
- Deprecated APIs
- Security Anti-patterns
Supported Languages
| Language |
File Extensions |
| JavaScript |
.js, .jsx |
| TypeScript |
.ts, .tsx |
| Python |
.py, .pyw |
| Java |
.java |
| Go |
.go |
| Ruby |
.rb |
| PHP |
.php |
| C/C++ |
.c, .cpp, .h, .hpp |
| C# |
.cs |
| Swift |
.swift |
| Kotlin |
.kt, .kts |
| Rust |
.rs |
| Config Files |
.yaml, .yml, .json, .xml, .env |
Installation
- Open VS Code Extensions panel (
Ctrl+Shift+X or Cmd+Shift+X)
- Search for "O3 Security"
- Click Install
- Restart VS Code
The extension activates automatically when you open any supported file.
Quick Start
Automatic Scanning
- Open any supported file
- O3 Security scans automatically after 4 seconds of idle time
- Issues appear as underlined text:
- Red underline - High severity
- Yellow underline - Medium severity
- Blue underline - Low severity
View Findings
Click the O3 Security icon in the Activity Bar (left sidebar) to see:
- Workspace Overview - Security metrics summary
- Findings by File - Organized list of all issues
- Statistics - Scan performance data
Manual Scanning
Scan current file:
- Open Command Palette (
Ctrl+Shift+P or Cmd+Shift+P)
- Type:
O3 Security: Scan Current File
- Press Enter
Scan entire workspace:
- Open Command Palette
- Type:
O3 Security: Scan Entire Workspace
- Press Enter
Git Hooks
Overview
Git hooks automatically scan your code before commits and pushes, preventing vulnerabilities from entering your repository.
Two types of protection:
- Pre-Commit Hook - Fast scan of staged files only
- Pre-Push Hook - Comprehensive scan of entire project
Installation
- Open Command Palette (
Ctrl+Shift+P or Cmd+Shift+P)
- Type:
O3 Security: Install Git Hooks
- Press Enter
- Confirm installation
How It Works
Pre-Commit (Fast Mode):
$ git commit -m "Add new feature"
Scanning 3 staged files...
src/api/users.js - OK
src/config.js - 1 issue found
SECURITY ISSUE DETECTED
File: src/config.js
Line 12: Hardcoded API key
Commit blocked. Fix the issue or bypass with: O3PASS=0 git commit
Pre-Push (Full Scan):
$ git push origin main
Scanning 247 files...
Progress: 100% complete
Cache hit rate: 92%
3 Critical issues found
Push blocked. Fix issues or bypass with: O3PASS=0 git push
Bypass Protection
For legitimate cases (work-in-progress commits, emergency fixes):
# Bypass pre-commit
O3PASS=0 git commit -m "WIP: in progress"
# Bypass pre-push
O3PASS=0 git push origin feature-branch
Use bypass sparingly: Only for temporary situations. Never bypass actual security issues.
Uninstallation
- Open Command Palette
- Type:
O3 Security: Uninstall Git Hooks
- Press Enter
Configuration
Accessing Settings
Method 1: Command Palette
- Open Command Palette (
Ctrl+Shift+P or Cmd+Shift+P)
- Type:
O3 Security: Open Settings
Method 2: VS Code Settings
- Open Settings (
Ctrl+, or Cmd+,)
- Search for "security scanner"
Key Settings
{
"securityScanner.enableRealTimeScan": true,
"securityScanner.scanInterval": 4,
"securityScanner.autoOpenSidebar": true,
"securityScanner.blockCommitsWithVulnerabilities": true,
"securityScanner.severityFilter": "all"
}
Settings Explained:
| Setting |
Default |
Description |
enableRealTimeScan |
true |
Enable automatic scanning |
scanInterval |
4 |
Wait time in seconds after typing stops (1-30) |
autoOpenSidebar |
true |
Auto-open sidebar for high severity issues |
blockCommitsWithVulnerabilities |
true |
Enable Git hook blocking |
severityFilter |
"all" |
Show: all, high, high+medium, or errors-only |
Ignore System
Why Use Ignores
Sometimes legitimate code triggers false positives. The ignore system lets you suppress specific findings without disabling the scanner.
Adding Ignores
From Findings Panel:
- Open O3 Security sidebar
- Right-click on any finding
- Choose ignore level:
- Ignore This Occurrence - Specific line only
- Ignore Rule in This File - Entire file
- Ignore Rule in Workspace - All files
From Editor:
- Hover over underlined issue
- Click lightbulb icon
- Select ignore option
Managing Ignores
View all ignores:
- Open Command Palette
- Type:
O3 Security: Show Ignored Rules
Clear all ignores:
- Open Command Palette
- Type:
O3 Security: Clear All Ignored Rules
Usage Examples
Example 1: Hardcoded Credentials
Vulnerable Code:
const apiKey = "sk_live_51234567890abcdef";
const password = "MySecretPassword123";
O3 Security Detects:
- Line 1:
[HIGH] Hardcoded API key
- Line 2:
[HIGH] Hardcoded password
Fixed Code:
const apiKey = process.env.STRIPE_API_KEY;
const password = process.env.DB_PASSWORD;
Example 2: SQL Injection
Vulnerable Code:
const userId = req.query.id;
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query);
O3 Security Detects:
- Line 2:
[HIGH] SQL injection vulnerability
Fixed Code:
const userId = req.query.id;
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
Example 3: Command Injection
Vulnerable Code:
import os
filename = request.args.get('file')
os.system(f'cat {filename}')
O3 Security Detects:
- Line 3:
[HIGH] Command injection
Fixed Code:
import subprocess
filename = request.args.get('file')
subprocess.run(['cat', filename], check=True)
Scan Times
| File Size |
First Scan |
Cached Scan |
| Small (< 100 lines) |
~150ms |
~5ms |
| Medium (100-500 lines) |
~300ms |
~5ms |
| Large (500-1000 lines) |
~600ms |
~5ms |
| Very Large (1000+ lines) |
~1.2s |
~5ms |
- Cache hit rate: 85-95% during active development
- Automatic cleanup: Old entries removed automatically
- Manual reset: Use
Clear Scan Cache command if needed
Commands Reference
| Command |
Description |
Scan Current File |
Manually scan active file |
Scan Entire Workspace |
Scan all files in project |
Install Git Hooks |
Enable commit/push protection |
Uninstall Git Hooks |
Remove Git hooks |
Show Ignored Rules |
View all suppressed findings |
Clear All Ignored Rules |
Remove all ignores |
Clear Scan Cache |
Reset performance cache |
Show Logs |
Open detailed logs |
Open Settings |
Configure extension |
Troubleshooting
Extension Not Working
Problem: No scans happening
Solutions:
- Verify file type is supported
- Check status bar shows "O3 Security: Idle"
- View Output panel: View > Output > O3 Security
- Restart VS Code
Git Hooks Not Running
Problem: Commits succeed without scanning
Solutions:
- Verify Node.js is installed:
node --version
- Verify hooks exist:
ls .git/hooks/pre-commit
- Make hooks executable (Mac/Linux):
chmod +x .git/hooks/*
- Reinstall hooks via Command Palette
Problem: Scans taking too long
Solutions:
- Clear cache:
O3 Security: Clear Scan Cache
- Increase scan interval in settings (e.g., 10 seconds)
- Check if large files are being scanned (over 1MB are auto-excluded)
False Positives
Problem: Safe code flagged as vulnerable
Solutions:
- Use ignore system to suppress specific findings
- Verify if code can be made more secure
