SecurePy
SecurePy is a VS Code extension for running the SecurePy Python security scanner directly inside the editor.
Features
- Scan the current Python file
- Scan the entire workspace
- Show findings in the Problems panel
- Highlight issues directly in the editor
- Inline quick fixes for common security issues
- Optional scan on save
- Output raw SecurePy results in the SecurePy output channel
Commands
| Command |
Description |
| SecurePy: Scan Current File |
Scan the active Python file |
| SecurePy: Scan Workspace |
Scan all Python files in the workspace |
| SecurePy: Clear Diagnostics |
Remove all SecurePy diagnostics from the editor |
Quick Fixes
SecurePy provides automatic fixes for common findings. When an issue is highlighted, open the Quick Fix menu (Ctrl+. / Cmd+.) to apply a fix.
| Rule |
Fix |
debug_mode, flask_debug_true |
Rewrites debug=True → debug=False |
unsafe_yaml_load, yaml_load |
Replaces yaml.load(...) → yaml.safe_load(...) |
| All other rules |
Shows a SecurePy: Explain rule action |
Requirements
This extension requires the SecurePy CLI to be installed and accessible on your machine.
Point the extension to the CLI using the securepy.executablePath setting:
{
"securepy.executablePath": "/absolute/path/to/securepy"
}
Tip: Use the full absolute path to the executable inside your virtual environment, e.g. /path/to/project/.venv/bin/securepy.
Settings
| Setting |
Type |
Default |
Description |
securepy.executablePath |
string |
"securepy" |
Path to the SecurePy CLI executable |
securepy.scanArgs |
array |
["--format", "json", "--stdout", "--no-color"] |
Extra arguments passed to SecurePy |
securepy.scanOnSave |
boolean |
false |
Automatically scan Python files on save |
Troubleshooting
SecurePy failed: spawn ... ENOENT
The extension cannot find the SecurePy executable. Set securepy.executablePath to the full absolute path of the binary.
No diagnostics appear after scanning
Check the SecurePy output channel (View → Output → SecurePy) for raw CLI output and any errors.
Scan on save is not triggering
Ensure securepy.scanOnSave is set to true in your VS Code settings, and that the file is a saved (non-untitled) Python file.
