Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>ShieldX - Extension AuditorNew to Visual Studio Code? Get it now.
ShieldX - Extension Auditor

ShieldX - Extension Auditor

Toufiq Hasan Kiron

|
1 install
| (0) | Free
Scan installed VS Code extensions for security risks, suspicious behavior, and excessive permissions.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

ShieldX icon

ShieldX - Extension Auditor

Scan extensions. Surface risk. Keep VS Code safer.

VS Marketplace VS Code Compatibility License


ShieldX is an extension auditor for Visual Studio Code. It scans installed extensions to detect supply chain risks, security vulnerabilities, excessive permissions, publisher trust signals, and suspicious AST patterns.


Key Features

  • Interactive Security Dashboard: A sidebar-first panel inside the VS Code Activity Bar for one-click scans and history management.
  • Static AST Pattern Scan: Searches Javascript/Typescript source files for obfuscated code, telemetry evasion, hardcoded credentials, and arbitrary executions.
  • Dependency Vulnerability audits: Integrates with the OSV.dev API to check nested dependencies against open-source vulnerability databases.
  • Capability & Manifest Scans: Audits extension permissions, activation events, install scripts, and network capability signatures.
  • Publisher Trust Engine: Performs reputational analysis based on account age, ratings, total downloads, and verified publisher attributes.
  • Multi-format Report Exports: Export security summaries in Markdown, JSON, HTML, PDF, CSV, and SARIF formats.
  • Audit History Tracking: Track, compare, and clear past scan logs to understand changes in workspace risk level.

Getting Started

Installation

Install ShieldX - Extension Auditor (thk.shieldx) from the VS Code Marketplace or Extension Panel inside the IDE.

How to Use

  1. Open the ShieldX Dashboard from the Activity Bar icon.
  2. Click Scan Extensions to query all local extension directories.
  3. Review flagged warnings, capability scores, and deep dependencies.
  4. Export reports using the dashboard action toolbar or via the Command Palette.

Configuration Options

Customize ShieldX behaviour by updating VS Code settings:

Setting Type Default Description
shieldx.autoScanOnStartup boolean false Triggers a security scan automatically on VS Code startup.
shieldx.warnOnHighRisk boolean true Shows warning notifications when high/critical risk extensions are discovered.
shieldx.minimumWarningLevel string "high" The minimum warning level needed to alert the user ("moderate", "high", "critical").
shieldx.scanNodeModules boolean false Deep-scans nested node_modules inside extensions (slower).
shieldx.reportFormat string "markdown" Default output file type for exported reports.
shieldx.enableOsvScan boolean true Performs online dependency checking via the OSV API.
shieldx.pdfBrowserPath string "" Chrome/Edge binary path used for rendering exact PDF reports.

Commands Contributed

  • ShieldX: Scan Installed Extensions — Run audit on workspace extensions.
  • ShieldX: Open Security Dashboard — Display the sidebar dashboard.
  • ShieldX: Export Security Report — Save current scan logs to disk.
  • ShieldX: Add Extension to Allowlist — Set a trusted extension bypass.
  • ShieldX: Block Extension — Explicitly mark an extension as untrusted.
  • ShieldX: Show Current Policy — View and edit active allowlists/blocklists.

License

Distributed under the MIT License. See LICENSE for more details.


👥 Authors

Created and maintained by Toufiq Hasan Kiron.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft