Takumo
AI code governance — catch secrets, enforce policies, and intercept risky AI-generated code before it ships.
Website ·
Dashboard ·
Documentation ·
Changelog
Takumo scans your code in real-time as you write, detects hardcoded secrets before they reach version control, and automatically validates AI-generated code against your organization's security policies. Everything runs locally via the takumo-daemon — your code never leaves your machine unless you choose to connect to Takumo Cloud.
Works with VS Code, Cursor, and any VS Code-compatible editor.
Features
- Real-time code scanning — Scans files on save and while typing. Issues appear as inline diagnostics with severity levels (Critical, High, Medium, Low).
- Secret detection — Catches AWS keys, API tokens, database URLs, private keys, and 30+ secret patterns with confidence scoring. Red underlines appear instantly.
- AI code interception — Automatically detects large multi-line pastes (from Copilot, ChatGPT, Claude, etc.) and scans them for policy violations and embedded secrets before they settle into your codebase.
- Clipboard monitoring — Watches your clipboard for secrets and warns you before you paste sensitive data into prompts or chat windows.
- Quick-fix code actions — One-click fixes: replace hardcoded secrets with environment variables, suppress rules per-line.
- Activity bar side panel — Daemon status, scan results, and account management in a dedicated panel.
- Status bar indicator — Shows connection status, scanning activity, and security score at a glance.
- Workspace scanning — Scan your entire workspace across 10+ file types with progress tracking.
- Right-click context menu — Scan or detect secrets in any selected text.
- Offline-first — All scanning runs locally. No internet required. Optionally connect to Takumo Cloud for org policies and audit trails.
- Privacy controls — Choose whether to send code content or metadata-only to cloud services. Your code, your rules.
Requirements
The extension requires the takumo-daemon to be installed and available on your system. The daemon is a lightweight local process that handles all scanning and detection.
| Dependency |
Required |
Purpose |
takumo-daemon |
Yes |
Local scanning engine (secret detection, policy validation) |
| Takumo Cloud account |
No |
Org policies, audit trails, team security posture |
If the daemon is not running when VS Code starts, the extension will attempt to start it automatically (configurable via takumo.daemon.autoStart).
Getting Started
- Install the extension from the VS Code Marketplace or
.vsix file
- Install the daemon:
# From releases
curl -sSL https://get.takumo.io/daemon | sh
# Or build from source
cargo install --path crates/takumo-daemon
- Start the daemon:
takumo-daemon start
- Open any code file and save it — diagnostics appear automatically
- (Optional) Sign in via
Takumo: Sign In in the command palette to connect to your org
The status bar will show Takumo in green when connected to the daemon, or Takumo · Offline when the daemon is not running.
Commands
All commands are available via the Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
| Command |
Description |
Takumo: Scan Current File |
Run a full scan on the active file |
Takumo: Scan Workspace |
Scan all supported files in the workspace |
Takumo: Scan Selection |
Scan the selected text |
Takumo: Detect Secrets in File |
Run secret detection on the active file |
Takumo: Detect Secrets in Selection |
Run secret detection on selected text |
Takumo: Sign In |
Authenticate with your Takumo API key |
Takumo: Sign Out |
Clear stored credentials |
Takumo: Open Dashboard |
Open Takumo Cloud in your browser |
Takumo: Show Status |
Display daemon status, auth state, and health |
Takumo: Toggle Daemon |
Start or stop the daemon process |
Takumo: Privacy Settings |
Open privacy-related settings |
Takumo: Clear Diagnostics |
Clear all Takumo diagnostics |
Takumo: Show Security Score |
Display current scanner and gateway health |
Takumo: Refresh Panel |
Refresh the side panel data |
Configuration
All settings are under takumo.* in your VS Code settings. Open with Cmd+, / Ctrl+, and search for "takumo".
General
| Setting |
Default |
Description |
takumo.enabled |
true |
Enable or disable the extension entirely |
takumo.apiKey |
"" |
Takumo API key. Prefer using the Sign In command which stores it in your OS keychain |
takumo.cloud.baseUrl |
https://cloud.takumo.io |
Takumo Cloud base URL |
Daemon
| Setting |
Default |
Description |
takumo.daemon.autoStart |
true |
Automatically start the daemon when VS Code opens |
takumo.daemon.binaryPath |
"" |
Custom path to the takumo-daemon binary. Auto-detected from PATH if empty |
takumo.daemon.port |
19532 |
Port the daemon listens on |
Scanning
| Setting |
Default |
Description |
takumo.scan.onSave |
true |
Run a full scan when a file is saved |
takumo.scan.onType |
true |
Run a debounced scan while typing |
takumo.scan.debounceMs |
500 |
Debounce delay in milliseconds for on-type scanning |
Secret Detection
| Setting |
Default |
Description |
takumo.secrets.enabled |
true |
Enable secret detection in scanned files |
takumo.secrets.clipboardMonitoring |
true |
Monitor clipboard for secrets and show a warning before pasting |
AI Interception
| Setting |
Default |
Description |
takumo.interception.enabled |
true |
Detect large multi-line pastes and scan them automatically |
takumo.interception.minLines |
3 |
Minimum number of lines to trigger AI paste detection |
takumo.interception.minChars |
50 |
Minimum number of characters to trigger AI paste detection |
Privacy
| Setting |
Default |
Description |
takumo.privacy.sendCodeSnippets |
false |
When true, sends full code content to Takumo Cloud. When false (default), only metadata (file name, issue count) is transmitted |
Notifications
| Setting |
Default |
Description |
takumo.notifications.showScanResults |
true |
Show notifications when scans find issues |
takumo.notifications.showSecretAlerts |
true |
Show notifications when secrets are detected |
Privacy & Security
Takumo is designed with privacy as a default:
- All scanning is local. The daemon runs on your machine. No code is transmitted anywhere unless you explicitly enable
takumo.privacy.sendCodeSnippets.
- API keys are stored in your OS keychain via VS Code's SecretStorage API — not in plaintext settings files.
- Clipboard monitoring can be disabled per-setting. When active, clipboard content is scanned locally and never transmitted.
- Metadata-only mode (default) sends file names and issue counts to Takumo Cloud for audit trails, but never source code.
Telemetry
This extension does not collect telemetry. When connected to Takumo Cloud, only metadata explicitly permitted by your privacy settings is transmitted.
Contributing
See CONTRIBUTING.md for development setup, architecture, and build instructions.
License
Proprietary. Copyright (c) 2026 Takumo, Inc. All rights reserved. See LICENSE for details.
