AI SCA Assistant

AI SCA Assistant is a Visual Studio Code extension for AI-assisted code review and Software Composition Analysis (SCA). It combines local static checks with guided AI prompts in GitHub Copilot Chat so teams can catch issues earlier and improve code quality faster.

What This Extension Does

• Reviews selected code or the active file with AI guidance.
• Scans for common security risks with local pattern-based checks.
• Scores code quality across readability, maintainability, complexity, documentation, and security.
• Enforces configurable team coding policies.
• Generates unit test prompts tailored to your language and test framework.
• Runs workspace-level SCA to detect dependency vulnerabilities, license risks, and policy violations.

Commands

Open the Command Palette and run:

• AI Code Review
• AI: Scan Security Vulnerabilities
• AI: Code Quality Dashboard
• AI: Enforce Team Policy
• AI: Generate Unit Tests
• AI: Scan Security (Whole Workspace)
• AI: Code Quality Dashboard (Whole Workspace)
• AI: Enforce Team Policy (Whole Workspace)
• AI: SCA - Software Composition Analysis

Most editor-level commands work on the current selection. If nothing is selected, the active file is used.

Key Features

1) Security Scan

Runs local checks for common patterns such as:

• XSS-prone sinks (innerHTML, document.write)
• Dangerous execution (eval, command execution patterns)
• Hardcoded secrets and tokens
• Weak crypto usage (for example MD5/SHA-1)
• Insecure transport usage (http://)
• SQL injection risk patterns

Results are shown with severity levels (Critical, High, Medium, Low), with an option to escalate to AI analysis in Copilot Chat.

2) Code Quality Dashboard

Generates heuristic quality scores (0-100) for:

• Readability
• Maintainability
• Complexity
• Documentation
• Security

You also get an overall score and suggested improvement direction.

3) Team Policy Enforcement

Applies your team rules from VS Code settings, including:

• Maximum function length
• Maximum file length
• JSDoc requirements
• Banned patterns
• Naming convention rules
• Custom rules in plain English

4) Unit Test Generation Guidance

Builds AI prompts for test generation based on:

• Detected file language
• Configured framework (jest, mocha, vitest, jasmine)

Prompts are structured for practical test coverage (happy path, edge cases, and failure paths).

5) SCA (Software Composition Analysis)

Scans dependencies from supported manifests such as:

• package.json
• requirements.txt
• pom.xml
• go.mod
• *.csproj

The SCA flow includes:

• Vulnerability lookups
• License detection and categorization
• Risk scoring
• Policy threshold checks
• Dashboard output with remediation guidance

Requirements

• Visual Studio Code 1.80.0 or newer
• GitHub Copilot Chat extension (recommended for AI-assisted flows)

Extension Settings

This extension contributes settings under aiReview.policy.* and aiReview.sca.*.

Common examples:

{
  "aiReview.policy.maxFunctionLines": 50,
  "aiReview.policy.maxFileLines": 300,
  "aiReview.policy.requireJsDoc": false,
  "aiReview.policy.bannedPatterns": ["console.log", "debugger", "eval("],
  "aiReview.policy.namingConvention": "any",
  "aiReview.policy.testFramework": "jest",
  "aiReview.sca.failOnSeverity": "HIGH",
  "aiReview.sca.maxRiskScore": 70,
  "aiReview.sca.blockedLicenses": ["AGPL-3.0", "GPL-2.0", "GPL-3.0", "SSPL-1.0"]
}

Quick Start

1. Install the extension.
2. Open a project file in VS Code.
3. Select code (optional).
4. Run a command from the Command Palette (for example, AI: Scan Security Vulnerabilities).
5. Review results in the generated panel and escalate to Copilot Chat when deeper analysis is needed.

Known Notes

• Some deep AI actions depend on GitHub Copilot Chat availability.
• SCA scan quality depends on manifest and lockfile completeness in your repository.