🛡️ Shadow-IT Guardian
Industrial-grade Dependency Security & Compliance Audit for VS Code.
Shadow-IT Guardian is a zero-config, high-performance extension designed to protect projects from "Shadow IT" risks—vulnerable or legally restrictive dependencies that sneak into your codebase during rapid development.
⚡ Quick Start
Just install the extension and open any package.json. No login or configuration required.
🌟 Why Shadow-IT Guardian?
🔒 Privacy-First Architecture
Unlike traditional security tools that may index your entire workspace, we treat your source code as a black box.
- Selective Scanning: We only parse metadata files (
package.json, requirements.txt, go.mod).
- Minimal Data: Only dependency names and versions are sent to the Deps.dev API. Your logic, secrets, and private code never leave your machine.
- Strict Exclusion: Automatically ignores
node_modules, dist, .git, and build artifacts to ensure total privacy.
- Privacy Policy: See our full Privacy Policy for details.
Specifically optimized for developers who don't want their IDE to turn into a memory hog.
- VS Snyk/Security Graphs: While enterprise tools can consume 500MB+ RAM and block indexing, Shadow-IT runs on a ~15MB footprint.
- Smart Orchestration:
- 750ms Debounced Audits: No redundant scans while you type.
- 5-Concurrency Limit: Prevents network congestion and API rate-limiting.
- 200-Package Audit Cap: Ensures stability even in massive monorepos.
- Two-Level Cache: Persistent 24h global storage + L1 memory cache for instantaneous results.
[!TIP]
Pro Tip: Unlike enterprise security scanners that run a heavy Java/Node background service, Shadow-IT Guardian leverages VS Code's native Web Worker API and lightweight fetch streams, ensuring your IDE stays snappy even with 50+ extensions installed.
⚖️ Scenario-Based Value
- Independent Developers: Avoid accidentally "open-sourcing" your commercial product by catching "Copyleft" licenses (GPL, AGPL) before you commit.
- Outsourcing Teams: Deliver clean, compliant codebases to clients. Provide automated proof that the project is free of high-risk vulnerabilities and restrictive licenses.
- Legacy Maintenance: Instantly identify abandoned packages with Scorecard data (e.g., packages with 0 maintenance activity).
🚀 Features
- 🔴 License Policing: Real-time alerts for restrictive licenses (GPL, AGPL, EUPL, etc.) that could pose legal risks to proprietary software.
- 🛡️ Vulnerability Guard: Deep integration with Google's Deps.dev to surface Critical and High CVEs.
- 📉 Library Health Prediction: Automatically flags packages with low OpenSSF Scorecard scores. Any library with a maintenance score below 4.0 is marked as a "High-risk Legacy Dependency," even without active vulnerabilities.
- 💡 AI-Powered Alternatives: Not just warnings—get curated recommendations for modern, safer, and better-maintained alternatives.
| Risky Package |
Problem |
AI Recommendation |
moment |
Deprecated, Heavy (67kB) |
✅ dayjs (2kB, Immutable) |
request |
Unmaintained (Legacy) |
✅ axios or fetch |
node-sass |
Deprecated |
✅ sass (Dart Sass) |
- 🎨 Pro UI Integration:
- CodeLens: One-click summary at the top of your dependency blocks.
- Hover Details: Markdown-rich tooltips with severity breakdown and AI tips.
- Health StatusBar: A "Shield" icon in your status bar indicating the real-time health of your manifest.
- 🤖 Robust Parsing: Handles malformed JSON, garbage input, and massive manifests with industrial stability.
🛠 Supported Ecosystems
| System |
File Pattern |
| npm |
package.json |
| Python |
requirements.txt |
| Go |
go.mod |
🛡️ Best Practices
- Check the StatusBar: If it's a green shield
$(shield), you're safe! A red error $(error) means immediate action is needed.
- Hover for Tips: Hover over any highlighted dependency to see why it's risky and what to use instead.
- Manual Audit: Use the command
Shadow-IT: Audit Current File at any time for a forced refresh.
💬 Feedback & Bug Report
We value your feedback! If you find a bug or have a feature request, please let us know:
- Data Accuracy: Help us stay accurate! Report any data discrepancies directly via the hover link.
- GitHub Issues: Open an issue here
- Submit a Review: Love the extension? Rate us on the Marketplace!
📜 License
This project is licensed under the SHADOW-IT GUARDIAN END USER LICENSE AGREEMENT. See the LICENSE file for details.
🔒 Privacy
Shadow-IT Guardian is built with privacy in mind. Please see our Privacy Policy for more information on how we handle data.
📜 Disclaimer
*Important: Shadow-IT Guardian is a decision-support tool, not a guarantee of security or legal compliance.
-Data Source: Audit results are based on third-party data from deps.dev. We do not guarantee the absolute accuracy or timeliness of this data.
-Not Legal Advice: License risk detection is for informational purposes only. It does not constitute legal advice.
-Liability: Under no circumstances shall the authors be liable for any security breaches, legal disputes, or data loss resulting from the use or reliance on this extension. Always perform a final manual audit for production-critical releases.*
Built for Developers, by Developers. Stay safe, stay compliant.
