MergeLock is a local-first code security scanner that runs directly in your editor. It detects vulnerabilities, leaks, and misconfigurations in your source code before they ever reach your version control system, keeping your development workflow safe and private.
✨ Features
- 🏠 100% Local Execution: No cloud endpoints, no telemetry, and no data leaves your machine. Your code remains yours.
- ⚡ Real-time Diagnostics: Automatically scans files on startup and upon saving, immediately flagging security findings in the Problems panel.
- 🧩 VS Code Sidebar & Status Bar: View, manage, and explore active findings directly from the dedicated MergeLock activity bar container.
- 🩹 Deterministic Safe Patches: Apply low-risk, automated fixes (like
.innerHTML to .textContent, adding rel="noopener noreferrer" to _blank links, securing cookies, and upgrading weak hashing functions) with a single click.
- 🔗 Git Protection: Easily install pre-commit, pre-merge-commit, and pre-push hooks to block high or critical severity vulnerabilities from being pushed.
- 📊 SARIF 2.1.0 Support: Export findings to standard SARIF format for local reporting or CI/CD integration.
- 🌍 Localization: Native support for English and Turkish languages.
🛠️ Supported Languages & Rules
MergeLock scans a wide array of file types:
js, jsx, ts, tsx, mjs, cjs, html, vue, svelte, astro, py, go, rs, java, kt, cs, rb, php, sql, env, json, yaml, toml, tf, dockerfile, and more.
Key Rules Checked:
- 🔑 Secrets Leakage: AWS, GitHub, Google API, Slack, Stripe, npm tokens, private keys, and general credentials.
- 🌐 Frontend Vulnerabilities: DOM XSS (
dangerouslySetInnerHTML, v-html), target blank vulnerabilities, unsafe redirects, and CSP issues.
- 🖥️ Backend & Language Rules: SQL injection, command execution, path traversal, weak JWTs, permissive CORS, weak hashing, and unsafe object deserialization.
- 📦 Container & IaC: Privileged containers, root execution, permissive cloud storage, and unsecure bash execution.
🚀 Quick Start
Installation
During development, package and install the extension locally:
cd extensions/vscode
npx @vscode/vsce package --target linux-x64
code --install-extension mergelock-teskilatsiz-linux-x64-0.1.2.vsix
Usage
- Open a workspace folder.
- Trust the workspace (required to start the local engine).
- The scanner runs automatically. Look for the 🔒 MergeLock icon on your activity bar or review findings in the Problems panel.
- Open the command palette (
Ctrl+Shift+P / Cmd+Shift+P) to run commands manually.
⌨️ Available Commands
| Command |
Description |
MergeLock: Scan Current File |
Scans the active file in the editor |
MergeLock: Scan Changed Files |
Scans files modified in git |
MergeLock: Scan Workspace |
Runs a full scanner across the open workspace |
MergeLock: Show Security Review |
Opens the interactive visual security dashboard |
MergeLock: Apply Safe Patch |
Applies the deterministic patch for the active finding |
MergeLock: Apply All Safe Patches |
Resolves all auto-patchable issues in one action |
MergeLock: Install Git Hooks |
Configures Git hooks (pre-commit, pre-push, etc.) |
MergeLock: Create/Refresh Baseline |
Creates a baseline to suppress current findings |
MergeLock: Clear Baseline |
Removes the baseline to show all suppressed findings |
⚙️ Configuration
Customize the extension via your VS Code Settings:
| Setting |
Default |
Description |
mergelock.scanOnStartup |
true |
Runs workspace scan on editor startup |
mergelock.scanOnSave |
true |
Runs file scan upon save |
mergelock.scanDebounceMs |
750 |
Debounce time (ms) for file save scanning |
mergelock.showNotifications |
true |
Shows popup notification on new findings |
mergelock.offerGitHooks |
true |
Asks to install Git hooks in Git repositories |
mergelock.binaryPath |
"" |
Custom path to the mergelock CLI binary |
mergelock.lspPath |
"" |
Custom path to the mergelock-lsp binary |
📄 License
This extension is licensed under the MIT License.
| |
