Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>AppSec WorkbenchNew to Visual Studio Code? Get it now.
AppSec Workbench

AppSec Workbench

Darrien Rushing

| (0) | Free
VS Code extension scaffold with GitHub API and Postgres health checks.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

AppSec Workbench

AppSec Workbench is a TypeScript VS Code extension scaffold with starter workflows for calling the GitHub API and checking connectivity to a Postgres database.

Features

  • Store a GitHub personal access token in VS Code SecretStorage.
  • Call the GitHub API as the authenticated user and show rate-limit status.
  • Store Postgres connection details in VS Code SecretStorage.
  • Run a read-only Postgres health check with SELECT now() AS now.
  • View repository inventory and CodeQL/Dependabot vulnerability findings in React webview panels.

Commands

  • AppSec Workbench: Configure GitHub PAT
  • AppSec Workbench: Check GitHub API
  • AppSec Workbench: Configure Postgres
  • AppSec Workbench: Check Postgres
  • AppSec Workbench: View Repo Inventory
  • AppSec Workbench: Repo Vuln Findings
  • AppSec Workbench: Clear Stored Credentials

Development

Install dependencies:

npm install

Compile the extension:

npm run compile

Build only the React webview assets:

npm run build:webview

Webview Browser Harness

Use the Vite browser harness when you are iterating on React webview UI and do not need the full VS Code Extension Development Host. It runs the same shared App component used by the production webview, but supplies local sample payloads and a mocked acquireVsCodeApi() implementation.

Start the harness:

npm run dev:webview

The command starts Vite at http://127.0.0.1:5173/ and opens the findings preview. Vite hot reloads edits under src/webview, including components, styles, and sample data.

Preview states:

http://localhost:5173/src/webview/dev/index.html?view=findings
http://localhost:5173/src/webview/dev/index.html?view=inventory
http://localhost:5173/src/webview/dev/index.html?view=empty
http://localhost:5173/src/webview/dev/index.html?view=empty-inventory
http://localhost:5173/src/webview/dev/index.html?view=none

Add &theme=light or &theme=dark to switch mocked VS Code theme variables:

http://localhost:5173/src/webview/dev/index.html?view=findings&theme=light

Sample payloads live in src/webview/dev/sampleData.ts. Update that file when you need to preview new table shapes, long strings, missing values, empty states, or severity combinations.

In the harness, GitHub Open buttons do not navigate directly. They call the mocked VS Code API and log the message to the browser console:

[mock acquireVsCodeApi.postMessage] { type: "openExternal", url: "..." }

Use the full Extension Development Host when you need to verify command registration, SecretStorage, Postgres data loading, VS Code webview CSP behavior, or real external link opening.

Run lint checks:

npm run lint

Run extension tests:

npm test

Launch the Extension Development Host from VS Code with the Run Extension debug configuration.

Credential Storage

This scaffold stores the GitHub PAT, Postgres connection string, optional Postgres username, and optional Postgres password in VS Code SecretStorage. Secrets are scoped to this extension and can be removed with AppSec Workbench: Clear Stored Credentials.

The Postgres configuration command accepts a full connection string plus optional username and password overrides. The health check intentionally does not expose arbitrary SQL execution.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft