SnakeFlow
Full documentation & guides: snakeflow.pages.dev
The enterprise-grade quality layer for vibe coders.
You're shipping fast with Cursor and AI. That's the superpower. But who's watching the code quality?
Vibe coding generates features at 10× speed — and technical debt at the same rate if nothing stops it. Leaked secrets, skipped type checks, 500-line functions, unreviewed dependencies with CVEs. The kind of issues that trigger post-mortems at enterprise companies. The kind that take down startups overnight.
SnakeFlow is the guardrail. Press Ctrl+M F — and in seconds you get the same quality signal that enterprise teams spend thousands of dollars a month on SonarCloud, Snyk, CodeQL, and Semgrep to get. Built-in heuristics, powerful CLI security scanners, and 16 cloud services — all running in parallel, right in your VS Code sidebar, before you push a single line.
Ship fast. Ship clean. SnakeFlow makes sure your AI-generated code is actually production-ready.
Stop switching tabs. Start shipping.
Every developer knows the drill: one terminal for servers, another for Docker, a browser tab for GitHub issues, a separate window for quality dashboards, and a clipboard full of commands you keep retyping.
SnakeFlow ends that. It's a VS Code / Cursor extension that collapses your entire development operations layer — servers, code quality, Docker, database tools, GitHub — into one sidebar and one keybinding.
Ctrl+M M → everything you need, right there.
Why vibe coders and teams choose SnakeFlow
Ctrl+M S — starts your entire stack at once. Next.js, Django, Go, Rails, any language, any number of servers.Ctrl+M F — runs 90+ quality checks in parallel: static analysis, secret detection, security scanning (Semgrep, Trivy, Checkov, Bandit, Gitleaks, OSV-Scanner, Bearer, Ruff, MyPy, Clippy, Govulncheck, RuboCop, Brakeman, PHPStan, ktlint, Detekt, .NET Format, SwiftLint, Dart Analyze, Ansible Lint, Helm Lint), plus 16 cloud services (SonarCloud, Snyk, CodeQL, Codecov…). Results stream live to the sidebar. Send the full report to Cursor Chat in one click.Ctrl+M I — creates a GitHub issue. Full Issues + PRs sidebar, no browser needed.- Docker Compose — up/down/restart/logs/build from the menu. No terminal.
- Database & ORM — Prisma, Drizzle, Alembic, Django, Rails, EF Core, and more — auto-detected, one-click actions.
- Git Branches — checkout, delete, open on GitHub, protected branch guard — from the sidebar.
- Voice Dictation — Gemini AI transcribes your voice directly into chat, issue description, or PR comment.
By the numbers
| 90+ quality checks (built-in, CLI, cloud, custom) |
16 cloud quality services |
| 10+ languages with native auto-detection |
1 shortcut to run everything |
| 0 extra browser tabs required |
Free — no account, no telemetry |
Built for real teams
Before: Four terminals. Two browser tabs. A Slack message asking "did anyone run lint?" Repeat every PR.
After: Ctrl+M F. Done. Full quality report in the sidebar. One click to Cursor Chat for AI triage.
SnakeFlow targets the VS Code Extension API and is tested on Microsoft Visual Studio Code, Cursor, and Google Antigravity. The same build is also published to Open VSX for VSCodium, Eclipse Theia–based editors, Gitpod, code-server, and other products that use the Open VSX registry instead of the Microsoft Marketplace. Install in 30 seconds from either gallery — no config files, no accounts, no cloud sign-up. All settings live in standard VS Code Settings (devManager.*).
Table of Contents
Installation
Full step-by-step (editors, galleries, optional tools): snakeflow.pages.dev/getting-started/installation.
From VS Code Marketplace
Search for SnakeFlow: Dev Environment Manager in the Extensions panel (Ctrl+Shift+X), or run:
ext install vaulttec-dev.snakeflow-dev-manager
From Open VSX
For VSCodium, Theia, Gitpod, and other editors that use Open VSX: open-vsx.org/extension/vaulttec-dev/snakeflow-dev-manager.
Visual Studio Code, Cursor, Antigravity, VSCodium, etc. are separate applications — install the extension in each product you use (gallery UI, Open VSX, or .vsix per IDE).
Manual .vsix Install
Download .vsix from the VS Marketplace or Open VSX, then:
cursor --install-extension snakeflow-dev-manager-0.3.11.vsix --force
# or for VS Code:
code --install-extension snakeflow-dev-manager-0.3.11.vsix --force
# or for Antigravity:
antigravity --install-extension snakeflow-dev-manager-0.3.11.vsix --force
# or for VSCodium:
codium --install-extension snakeflow-dev-manager-0.3.11.vsix --force
After installing, reload the window: Ctrl+Shift+P → Developer: Reload Window.
Quick Start
- Install the extension from Marketplace or .vsix
- Open a project folder in VS Code / Cursor
- Press
Ctrl+M M — the extension auto-detects the project name and package manager
- Configure servers via Manage Servers or edit
devManager.project.servers in Settings
- Use the menu to start servers, run Quality Hub checks, manage GitHub, and more
All settings live in VS Code's standard Settings UI. Search for @ext:vaulttec-dev.snakeflow-dev-manager in Settings (Ctrl+,). No separate config files.
AI automatic setup (Cursor / Antigravity / VS Code)
Install the setup-dev-manager skill from this repo (.cursor/skills/setup-dev-manager/SKILL.md) and ask the agent to configure SnakeFlow — it scans the project and writes devManager.* into .vscode/settings.json.
- Cursor → copy to
%USERPROFILE%\.cursor\skills\setup-dev-manager\ (Windows) or ~/.cursor/skills/setup-dev-manager/ (macOS/Linux)
- Antigravity → copy to
%USERPROFILE%\.vscode\skills\setup-dev-manager\ (Windows) or ~/.vscode/skills/setup-dev-manager/ (macOS/Linux)
- VS Code → paste the
SKILL.md contents at the start of any AI chat conversation (Copilot, Continue, etc.)
Full steps: AI setup skill (docs site).
Usage
After installation, use SnakeFlow from the Activity Bar (SnakeFlow icon) and the command palette:
Ctrl+M M — main menu: servers, scripts, database, Docker, GitHub, Quality Hub, settings, and more.Ctrl+M F — run all enabled Quality Hub checks for the selected project.- Sidebar — pick a project, start/stop servers, browse quality results, GitHub Issues, and branches.
All behavior is driven by VS Code / Cursor settings (devManager.*). Search @ext:vaulttec-dev.snakeflow-dev-manager in Settings (Ctrl+,). For field-by-field reference, see Configuration on the docs site or the Configuration Reference section below.
Features
Servers
Start, stop, and restart any number of dev servers — Next.js, Vite, FastAPI, Django, Rails, Go, Rust, PHP — any runtime, any command.
Each server runs in a named terminal and is monitored via TCP port check + terminal presence. Status is visible in the sidebar and status bar.
Configuration:
"devManager.project.servers": [
{ "id": "web", "label": "Frontend", "command": "npm run dev", "path": "apps/web", "port": 3000 },
{ "id": "api", "label": "API Server", "command": "python manage.py runserver 8000", "path": "backend", "port": 8000 },
{ "id": "worker", "label": "Celery", "command": "celery -A config worker -l info", "path": "backend", "port": 0 }
]
| Field |
Required |
Description |
id |
yes |
Unique identifier ("web", "api", "worker") |
label |
yes |
Display name shown in sidebar and status bar |
command |
yes |
Shell command to run the server |
path |
no |
Relative working directory from project root ("" = root) |
port |
no |
TCP port to monitor for live status (0 = no monitoring) |
Commands:
Ctrl+M S — Start all serversCtrl+M Q — Stop all serversCtrl+M R — Restart all servers- Main menu → individual server controls
Scripts Runner
Run any script from package.json (or Makefile, Cargo.toml, etc.) through a searchable quick-pick menu — no need to open a terminal.
Command: Ctrl+M N — Scripts | Main menu → Scripts
Docker Compose / Containers
Control Docker Compose (or Podman) from the sidebar and main menu. Supports any compose file location and custom infrastructure commands.
Installing Docker Desktop
If Docker is not yet installed:
Windows / macOS: Download Docker Desktop from docker.com and run the installer
Linux (Ubuntu/Debian):
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker
Verify: docker --version and docker compose version
Pulling Docker Images
Some quality checks (Bearer SAST on Linux/macOS) use Docker images. Pull them in advance:
# Bearer SAST scanner
docker pull bearer/bearer:latest-amd64 # preferred (amd64/arm64 builds)
docker pull bearer/bearer:latest # fallback
# Verify
docker images | grep bearer
Configuring Container Actions
"devManager.project.composePath": "",
"devManager.project.containerActions": [
{ "label": "Up", "command": "docker compose up -d" },
{ "label": "Down", "command": "docker compose down" },
{ "label": "Restart", "command": "docker compose restart" },
{ "label": "Status", "command": "docker compose ps" },
{ "label": "Logs", "command": "docker compose logs -f --tail 100" },
{ "label": "Pull Images", "command": "docker compose pull" },
{ "label": "Build Images", "command": "docker compose build" },
{ "label": "Down + Volumes","command": "docker compose down -v", "confirm": true }
]
Set "confirm": true on destructive actions — the user is prompted before execution.
composePath can point to a custom file: "infra/docker-compose.prod.yaml". Leave empty ("") for auto-detection.
devManager.docker.composeCommand controls the CLI: "docker compose" (default) | "docker-compose" | "podman compose".
GitHub CI with act
Run GitHub Actions workflows locally without pushing to GitHub, using act.
Installing act:
# Windows (Winget)
winget install nektos.act
# macOS
brew install act
# Linux
curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
Requires Docker Desktop to be running.
Command: Main menu → CI / Run GitHub Actions Locally
GitHub Issues
Full GitHub Issues management from the sidebar — without leaving your IDE.
Features:
- View issues with filters: milestone, assignee, date range, label, search
- Create new issues with AI-assisted title generation (Gemini optional)
- Edit issue title, body, assignees, milestone, labels
- Close issues
- Add comments
- Create a branch from an issue
- Send issue context to Cursor Chat for AI assistance
Requires: gh CLI authenticated (gh auth login)
Gemini AI title generation (optional):
"devManager.gemini.apiKey": "AIza...",
"devManager.gemini.model": "gemini-2.5-flash"
Command: Ctrl+M I — Create Issue | Sidebar → GitHub Issues panel
Pull Requests
View open Pull Requests grouped by status (needs review, approved, changes requested) in the sidebar.
Features:
- See PR title, author, review status, CI status
- Open PR on GitHub
- Send PR diff + context to Cursor Chat for AI code review
AI Code Review Context:
SnakeFlow's integration with AI code review focuses on the diff between your feature branch and the main branch, leveraging additional repository context where available (e.g., in services like Greptile). For more advanced, full-repository AI insights, consider native GitHub features like Copilot Code Review and GitHub Code Quality, or dedicated tools like Cursor Bugbot, Sentry Seer, Bito, and Amazon Q Developer, which often run at the SCM (Source Code Management) level and provide deeper analysis.
Requires: gh CLI authenticated
Custom chat prompt:
"devManager.prToChat.prompt": "Review this PR with focus on security and performance."
Git Branches
Manage local and remote branches from the sidebar.
Features:
- View all local branches sorted by last commit date
- Checkout a branch with one click
- Delete a branch (single or multiple)
- Protected branches require double confirmation before deletion
- Click a branch to open its compare view on GitHub
Configuration:
"devManager.git.defaultBranch": "main",
"devManager.git.protectedBranches": ["main", "master", "develop", "staging", "production"]
Status Bar
Five status bar items at the bottom of the IDE:
| Item |
Description |
| Project name |
Click to open the main SnakeFlow menu |
| Server status |
Live per-server monitoring (green = port open + terminal running) |
| Docker |
Shows whether a docker-compose file is detected |
| GitHub |
Signed-in GitHub account icon; click to sign in if not authenticated |
| Git branch |
Current branch + ↑ahead / ↓behind counts; click to pull from origin; auto-refreshes every 60 s |
Voice Dictation
Dictate text using your microphone directly into the IDE. Gemini AI transcribes the audio and integrates it into your workflow.
Features:
- Status bar microphone button (Windows only): Click to start recording, click again to stop. Transcribed text is copied to the clipboard, and a notification provides an "Open Chat" button to paste it into the current conversation (
Ctrl+V).
- Microphone button in Issue forms: Dictate text directly into the Description field when creating or editing a GitHub issue.
- Microphone button in PR comment fields: Dictate text directly into the comment field when reviewing a Pull Request.
Configuration:
"devManager.gemini.apiKey": "AIza...",
"devManager.gemini.model": "gemini-2.5-flash",
"devManager.gemini.dictationLanguage": "uk" // auto, en, uk, de, fr, es, pl, etc.
Quality Hub
The Quality Hub is SnakeFlow's most powerful feature: a 90+ check code quality system that runs checks in parallel and streams results live to the sidebar as each check completes.
Results are sorted by status: fail → warn → error → pass → skip. Each result shows a summary and expandable details. A copy button lets you copy any result to the clipboard.
Shortcut: Ctrl+M F — run all enabled Quality Hub checks (built-in, CLI, cloud, and custom checks).
To mirror a classic lint → typecheck → test → build flow, add those steps as custom checks in devManager.quality.customChecks (or use the + button on the Quality Hub panel). The old sequential build pipeline (devManager.pipeline.*) was removed — Quality Hub replaces it.
Auto-gate duplicate built-ins
With 90+ providers shipped, several regex/heuristic built-ins overlap with much stronger tools (ESLint plugins, Trivy, SonarCloud, dependency-cruiser, etc.). The extension ships a master switch devManager.quality.autoGateDuplicates.enabled (default true) that silently hides a built-in whenever a superior alternative is already active in the project. Set it to false to run every enabled provider regardless of overlap.
| Built-in (hidden when superseded) |
Superseded by |
Type Safety, Broad Types, Return Types, Non-Null Assertions, Enum Usage |
ESLint with @typescript-eslint in config |
Parameter Count |
Any configured JS/TS linter (ESLint / Biome / Oxlint) |
Long Lines, Mixed Indentation |
Prettier / Biome / .editorconfig |
React Hook Rules |
eslint-plugin-react-hooks |
Accessibility |
eslint-plugin-jsx-a11y |
Secret Leaks |
Trivy / Bearer / Semgrep (when enabled) |
ESLint Security |
eslint-plugin-security already in main ESLint config |
LCOV Coverage |
Codecov / Coveralls (when configured) |
Copy-Paste (jscpd) |
SonarCloud (duplicated_lines_density) |
Cross-Layer Imports |
dependency-cruiser or arch-DSL |
Coupling Metrics, Import Depth, Barrel Files |
dependency-cruiser |
Commands:
Ctrl+M F — Run all Quality Hub checks- Sidebar panel → Run All Checks
- Sidebar panel → Run single check (click ▶ on any item)
- Sidebar panel → Send Report to Chat
- Main menu → Quality Hub
Quality Hub — Cloud Providers
Cloud services connect to their APIs using your token. They read data that was already collected by your CI/CD pipeline — no additional scans are triggered.
Note: Most cloud services require at least one git push (to trigger CI) before they have data to show. If you have no pushes yet, the check will return "No data available."
| Provider |
What It Checks |
Cost |
Token |
| SonarCloud |
Bugs, code smells, security hotspots, duplications, coverage gate |
Free for public repos |
SONAR_TOKEN |
| Snyk |
Dependency CVEs, license violations, code security issues |
Free tier (limited) |
Snyk API token |
| Codecov |
Test line/branch/function coverage trends, PR coverage delta |
Free for public repos |
Codecov token |
| CodeQL |
Deep semantic code vulnerability analysis (GitHub native) |
Free via GitHub |
GitHub auth |
| Codacy |
Automated code review: complexity, duplication, style, security |
Free for public repos |
Codacy token |
| CodeClimate |
Maintainability score, technical debt, test coverage |
Free for public repos |
CodeClimate token |
| Coveralls |
Test coverage trends over time, per-file coverage |
Free for public repos |
Coveralls token |
| DeepSource |
Auto-detects and fixes issues across 30+ languages |
Free for public repos |
DeepSource token |
| CodeAnt AI |
Detects anti-patterns, code smells, code health metrics |
Free tier |
CodeAnt token |
| Aikido Security |
SAST, SCA, IaC security, secrets, malicious dependencies |
Free tier |
Aikido token |
| CodeRabbit |
AI-powered PR review with expanded diff context |
Free tier |
CodeRabbit token |
| Greptile |
AI codebase understanding — asks questions, gets answers |
Paid |
Greptile token |
| Cubic |
Code metrics dashboard: complexity, coupling, cohesion |
Free tier |
Cubic token |
| Qodo |
AI test generation and coverage suggestions |
Free tier |
Qodo token |
| Qlty |
Unified quality platform: issues, coverage, trends |
Free tier |
Qlty token |
| Semgrep Cloud |
SAST findings from Semgrep rulesets in the cloud |
Free tier |
Semgrep token |
Configuration example (SonarCloud):
"devManager.quality.sonarcloud.enabled": true,
"devManager.quality.sonarcloud.token": "sqp_xxxxxxxxxxxx",
"devManager.quality.sonarcloud.org": "my-org",
"devManager.quality.sonarcloud.projectKey": "my-org_my-project"
Configuration example (Snyk):
"devManager.quality.snyk.enabled": true,
"devManager.quality.snyk.token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"devManager.quality.snyk.orgId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Configuration example (Codecov):
"devManager.quality.codecov.enabled": true,
"devManager.quality.codecov.token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"devManager.quality.codecov.owner": "my-github-org",
"devManager.quality.codecov.repo": "my-repo"
All other cloud providers follow the same pattern with enabled + token + provider-specific keys. Tokens are stored in your workspace settings.json — never committed to version control.
Quality Hub — Built-in Checks
Most checks run in pure Node.js (no install). Some built-ins call npx tsc or external CLIs (YAMLlint, Spectral, Checkov, SQLFluff, Markdownlint) and return skip when the tool or project files are missing. All are enabled by default.
Code Size & Complexity
| Check |
What It Detects |
Default Thresholds |
| Line Count |
Source files that are too long |
warn ≥ 300, fail ≥ 500 lines |
| Function Length |
Functions / methods that are too long |
warn ≥ 40, fail ≥ 80 lines |
| Cyclomatic Complexity |
Functions with too many branches |
warn ≥ 10, fail ≥ 20 |
| File Size |
Files exceeding size limits (excludes .vsix artifacts) |
warn ≥ 50 KB, fail ≥ 200 KB |
| Long Lines |
Lines exceeding column width (applies skipFiles exclusions) |
warn if >5 % of lines over 120 chars |
| Import Depth |
Deep import chains (../../../) (ignores comment lines) |
warn ≥ 4, fail ≥ 6 levels |
| Directory Depth |
Folder nesting too deep |
warn ≥ 7, fail ≥ 10 levels |
| Dependency Count |
Too many direct dependencies in package.json / Cargo.toml / etc. |
warn ≥ 50, fail ≥ 100 |
| Heavy Imports |
Full-package imports of large libraries (lodash, @mui/material) that block tree-shaking |
— |
| Barrel Files |
Oversized index.ts/js re-export files that hurt tree-shaking and build performance |
— |
Code Quality & Maintainability
| Check |
What It Detects |
Default Thresholds |
| TODO Count |
TODO, FIXME, HACK, BUG, XXX, NOSONAR comments |
— |
| Commented Code |
Blocks of code commented out (not regular comments) |
— |
| Duplicate Files |
Exact binary-identical files (different names, same content) |
— |
| Mixed Indent |
Files mixing tabs and spaces |
— |
| Encoding |
Non-UTF-8 files that can cause cross-platform issues |
— |
| Debug Leaks |
console.log, print(), debugger, var_dump(), dd() left in code (excludes build tooling scripts) |
— |
| Secret Leaks |
Hardcoded API keys, tokens, passwords, private keys in source |
— |
| Gitignore Check |
Files that match .gitignore patterns but are still tracked |
— |
| Magic Numbers |
Hardcoded numeric literals that should be named constants |
warn ≥ 3, fail ≥ 5 |
| Parameter Count |
Functions / methods with too many parameters |
warn ≥ 4, fail ≥ 7 |
Architecture & Design
| Check |
What It Detects |
| Coupling Metrics |
High afferent/efferent coupling; flags "god files" and unstable modules |
| Cross-Layer Imports |
Forbidden import directions (e.g. UI importing Prisma; API routes importing React components) |
| Component Inventory |
Similar UI components/hooks by naming pattern — suggests consolidation |
| Project Structure |
Checks fileRules (files in specific folders) and folderRules (exports specific symbols) |
Type Safety & Documentation
| Check |
What It Detects |
Default Thresholds |
| Any Coverage |
TypeScript any usage — counts explicit annotations, casts, generics |
warn ≥ 10, fail ≥ 50 |
| JSDoc Coverage |
Percentage of exported functions/classes/interfaces with JSDoc comments |
warn < 50%, fail < 20% |
| Return Types |
TS functions without explicit return types |
warn ≥ 10, fail ≥ 50 |
Test Quality
| Check |
What It Detects |
| Test Ratio |
Test-to-source file ratio — warns when tests are sparse |
| Empty Tests |
it() / test() / def test_ / #[test] blocks with no assertions |
| LCOV Coverage |
Reads existing lcov.info or coverage-summary.json — line, branch, function % |
| Stryker |
Mutation testing score (JS/TS) |
CI/CD Security
| Check |
What It Detects |
| GitHub Actions Audit |
Unpinned actions, pull_request_target misuse, ${{ }} injection points, hardcoded secrets in workflows |
Project health
| Check |
What It Detects |
| .env Consistency |
.env vs .env.example — undocumented keys, missing vars, missing example file |
| Lockfile Sync |
Missing lockfile vs manifest; lockfile older than manifest (mtime) |
| Node Version Consistency |
Node version drift across .nvmrc, .node-version, .tool-versions, package.json engines, Dockerfile |
| README Check |
Missing README, short README, missing standard sections |
| Changelog Check |
Missing or non–Keep-a-Changelog CHANGELOG.md |
| CODEOWNERS Check |
Missing .github/CODEOWNERS, invalid paths, no catch-all * |
TypeScript & frontend heuristics
| Check |
What It Detects |
| TypeScript Check |
Runs npx tsc --noEmit when tsconfig.json exists |
| Async/Await Misuse |
async in .forEach(), .then() without .catch(), discarded Promise combinators |
| Error Handling |
Swallowed exceptions (catch {}, except: pass, empty Ruby rescue) |
| React Hook Rules |
Hooks missing dependency arrays (only when react is a dependency) |
| Accessibility Check |
Common JSX/HTML/Vue/Svelte a11y issues (img alt, labeled controls) |
Customizing built-in thresholds:
"devManager.quality.builtin.lineCount.warnLines": 300,
"devManager.quality.builtin.lineCount.failLines": 500,
"devManager.quality.builtin.functionLength.warnLines": 40,
"devManager.quality.builtin.complexity.warnScore": 10,
"devManager.quality.builtin.parameterCount.warnAt": 4,
"devManager.quality.builtin.parameterCount.failAt": 7,
"devManager.quality.builtin.magicNumbers.warnScore": 3,
"devManager.quality.builtin.magicNumbers.failScore": 5,
"devManager.quality.builtin.returnTypes.warnAt": 10,
"devManager.quality.builtin.returnTypes.failAt": 50
These checks require external tools (or npx) on your machine. The extension auto-detects availability and returns skip if not installed — no errors.
Security
| Check |
Tool |
Install |
What It Does |
| Semgrep |
semgrep |
pip install semgrep |
SAST — finds security vulnerabilities, code patterns, custom rules across 30+ languages |
| Trivy |
trivy |
See below |
CVE scanner for dependencies, Docker images, IaC, secrets |
| Gitleaks |
gitleaks |
See below |
Scans file system for hardcoded secrets with Gitleaks rules |
| OSV-Scanner |
osv-scanner |
See below |
Cross-language CVE scanner for dependencies (npm, pip, go.sum, Cargo.lock, etc.) |
| ESLint Security |
local eslint |
npm i -D eslint-plugin-security |
JavaScript/TypeScript-specific security anti-patterns |
| Bandit |
bandit |
pip install bandit |
Python-specific security issues |
| Bearer |
bearer |
Linux/macOS only; see below |
SAST that tracks sensitive data flows (PII, secrets) |
| Brakeman |
brakeman |
gem install brakeman |
Rails-specific security analysis (SQL injection, XSS) |
Installing Trivy:
# Windows (Winget)
winget install AquaSecurity.Trivy
# macOS
brew install trivy
# Linux
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
Installing Gitleaks:
# Windows (Winget)
winget install gitleaks
# macOS
brew install gitleaks
# Linux
curl -sfL https://raw.githubusercontent.com/zricethezav/gitleaks/master/install.sh | sh
Installing OSV-Scanner:
# Windows (Winget)
winget install osv-scanner
# macOS
brew install osv-scanner
# Linux
curl -L https://raw.githubusercontent.com/google/osv-scanner/main/scripts/install.sh | bash
Installing Bearer (Linux/macOS only):
# macOS
brew install bearer/tap/bearer
# Linux
curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh
Bearer has no native Windows binary. On Windows, install it inside WSL2 and set devManager.quality.builtin.bearer.path to the WSL path.
Code Quality CLI Tools
| Check |
Tool |
Install |
What It Does |
| Copy-Paste Detection |
jscpd (npx) |
npm i -D jscpd |
Detects copy-pasted code blocks across the project |
| Dead Code |
knip (npx) |
auto via npx |
Finds unused exports, files, dependencies (JS/TS) |
| Circular Dependencies |
dependency-cruiser (npx) |
npm i -D dependency-cruiser |
Detects circular import chains in JS/TS projects |
| Package Audit |
npm audit / pip-audit / cargo audit / etc. |
built-in to package managers |
CVE scan via your language's native package manager (severity configurable with failOnHigh) |
| Outdated Dependencies |
npm outdated / pip list --outdated |
built-in |
Shows packages with newer versions available |
| License Compliance |
license-checker (npx) |
auto via npx |
Lists all dependency licenses; warns on GPL/AGPL/unknown |
| TypeScript Check |
tsc (npx) |
npm i -D typescript |
npx tsc --noEmit — compiler errors without emit |
| Mutation Testing |
stryker (npx) |
npm i -D @stryker-mutator/core |
Runs mutation tests to measure test suite effectiveness |
| YAMLlint |
yamllint |
pip install yamllint |
YAML syntax and style for all .yml / .yaml files |
| Spectral |
spectral |
npm i -g @stoplight/spectral-cli |
Lint OpenAPI / AsyncAPI specs (openapi*, swagger*, asyncapi*) |
| Checkov |
checkov |
pip install checkov |
IaC security (Terraform, K8s manifests, Dockerfiles, etc.) |
| SQLFluff |
sqlfluff |
pip install sqlfluff |
SQL file lint (optional .sqlfluff config) |
| Markdownlint |
markdownlint-cli2 or markdownlint |
npm i -g markdownlint-cli2 |
Markdown style across **/*.md |
| Ruff |
ruff |
See below |
Python linting, formatting, type checking (modern flake8/pylint replacement) |
| Mypy |
mypy |
pip install mypy |
Static type checker for Python |
| PHPStan |
phpstan |
See below |
Static analysis for PHP |
| RuboCop |
rubocop |
gem install rubocop |
Ruby style and linting |
| Clippy |
cargo clippy |
built-in with Rust toolchain |
Official Rust linter for correctness and idioms |
| Govulncheck |
govulncheck |
See below |
Detects known vulnerabilities in Go modules |
Kotlin Lint (ktlint) |
ktlint |
See below |
Kotlin coding style linter |
| Detekt |
detekt |
See below |
Static analysis for Kotlin (code smells, complexity) |
| .NET Format |
dotnet format |
built-in with .NET SDK |
Formats C# code and runs Roslyn analyzers |
| SwiftLint |
swiftlint |
See below |
Swift style and conventions linter |
| Dart Analyze |
dart analyze |
built-in with Dart SDK |
Dart/Flutter static analysis based on analysis_options.yaml |
| Ansible Lint |
ansible-lint |
pip install ansible-lint |
Lints Ansible playbooks for best practices and security |
| Helm Lint |
helm lint |
built-in with Helm CLI |
Validates Helm charts |
Installing golangci-lint:
# macOS
brew install golangci-lint
# Windows (Winget)
winget install golangci-lint
# Go install
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
Installing Ruff:
# Python pip
pip install ruff
# Cargo (Rust)
cargo install ruff
Installing Mypy:
# Python pip
pip install mypy
Installing PHPStan:
# Composer
composer require --dev phpstan/phpstan
# Or install globally:
composer global require phpstan/phpstan
Installing ktlint:
# Homebrew
brew install ktlint
# Scoop (Windows)
scoop install ktlint
Installing Detekt:
# Homebrew
brew install detekt
# Manual (download JAR)
# https://github.com/detekt/detekt/releases
Installing SwiftLint:
# Homebrew
brew install swiftlint
Installing Govulncheck:
govulncheck is included with Go 1.18+ or later via go install golang.org/x/vuln/cmd/govulncheck@latest.
Dockerfile & Shell Linting
| Check |
Tool |
Install |
What It Does |
| Hadolint |
hadolint |
See below |
Dockerfile best-practice linter |
| ShellCheck |
shellcheck |
See below |
Shell script static analysis |
Installing Hadolint:
# Windows (Winget)
winget install hadolint
# macOS
brew install hadolint
# Linux
curl -sL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && chmod +x /usr/local/bin/hadolint
Installing ShellCheck:
# Windows (Winget)
winget install koalaman.shellcheck
# macOS
brew install shellcheck
# Linux (Ubuntu/Debian)
sudo apt install shellcheck
Quality Hub — Custom Checks from Project
Add your own quality checks using project scripts or arbitrary shell commands:
"devManager.quality.customChecks": [
{ "label": "lint", "script": "lint", "type": "script" },
{ "label": "typecheck", "script": "typecheck", "type": "script" },
{ "label": "build", "script": "build", "type": "script" },
{ "label": "format", "script": "format:check", "type": "script" },
{ "label": "migrations", "script": "prisma migrate status", "type": "command" }
]
"type": "script" — runs via the project's package manager (npm run <script>)"type": "command" — runs the script value as a raw shell command
Add/remove via UI: Sidebar → Quality Hub panel title bar → + / - buttons.
Quality Hub — Skip Directories and Files
The extension has 70+ built-in exclusions for generated files (node_modules, dist, build, __pycache__, target, vendor, .venv, .next, etc.).
devManager.quality.skipDirs: Add only project-specific directory names (not globs) that are not in the built-in list:
"devManager.quality.skipDirs": [
"generated",
"proto-gen",
"legacy",
"fixtures",
".output",
"storybook-static"
]
devManager.quality.skipFiles: Exclude specific relative file paths or suffix patterns:
"devManager.quality.skipFiles": [
"docs/src/content/config.d.ts",
"docs/public/scalar.js",
"*.vsix",
"**/generated-schema.ts"
]
Quality Hub — Report to Chat
Send the full quality report to Cursor Chat for AI analysis:
"devManager.quality.chatReport": "full",
"devManager.quality.chatPrompt": "Analyze these results and prioritize the 3 most important issues to fix."
Options for chatReport: "full" | "failOnly" | "summary"
"devManager.quality.timeout": 30,
"devManager.quality.maxBuffer": 50
timeout — maximum runtime per check in minutes (default: 30)maxBuffer — maximum stdout buffer per check in megabytes (default: 50)
Settings Sync
Back up and share devManager.* workspace settings using your GitHub sign-in — no extra password. On first activation, SnakeFlow silently registers the user in SnakeFlow Cloud if a GitHub session is already present in the IDE.
Features:
- Push to Cloud: Upload your project's settings to SnakeFlow Cloud.
- Pull from Cloud: Download settings from SnakeFlow Cloud.
- Push Access Control: Repository settings owners can manage which team members are allowed to push configuration changes.
Commands: Main menu → Settings Sync → Export Settings / Import Settings
Skill Generator
Create reusable Cursor Agent Skills from a template — pre-filled with your project's context.
Command: Main menu → Create Skill from Template
The generated skill file includes your server configuration, package manager, and common development patterns.
SnakeFlow Cloud API
SnakeFlow Cloud provides a REST API to programmatically manage your project settings and API keys.
API Reference: snakeflow.pages.dev/api-reference
Configuration Reference
All settings are under the devManager.* namespace. Access via Ctrl+, → search @ext:vaulttec-dev.snakeflow-dev-manager.
Project
| Setting |
Default |
Description |
devManager.project.name |
auto |
Project identifier |
devManager.project.dir |
auto |
Absolute path to project root |
devManager.project.packageManager |
"auto" |
auto | npm | pnpm | yarn | bun |
devManager.project.servers |
[] |
Array of dev server configurations |
devManager.project.composePath |
"" |
Custom Docker Compose file path |
devManager.project.containerActions |
auto |
Custom container action menu |
Git & GitHub
| Setting |
Default |
Description |
devManager.git.defaultBranch |
"main" |
Default branch name fallback |
devManager.git.protectedBranches |
["main","master","develop","staging","production"] |
Branches requiring extra confirmation to delete |
devManager.github.defaultMilestone |
"" |
Default milestone for new issues |
devManager.prToChat.prompt |
"" |
Custom prompt when sending PR to Chat |
devManager.issueToChat.prompt |
"" |
Custom prompt when sending Issue to Chat |
Docker & CI
| Setting |
Default |
Description |
devManager.docker.composeCommand |
"docker compose" |
Compose CLI to use |
devManager.ci.workflowsPath |
".github/workflows" |
Path to GitHub Actions workflows |
AI (Gemini)
| Setting |
Default |
Description |
devManager.gemini.apiKey |
"" |
Google Gemini API key |
devManager.gemini.model |
"gemini-2.5-flash" |
Gemini model name |
devManager.gemini.dictationLanguage |
"auto" |
Language for voice dictation transcription (auto, uk, en, de, etc.) |
Quality Hub — General
| Setting |
Default |
Description |
devManager.quality.customChecks |
[] |
Custom project-level quality checks |
devManager.quality.skipDirs |
[] |
Additional directories to exclude from all checks |
devManager.quality.skipFiles |
[] |
Specific files and path patterns to exclude from checks |
devManager.quality.timeout |
30 |
Max runtime per check (minutes) |
devManager.quality.maxBuffer |
50 |
Max stdout buffer per check (MB) |
devManager.quality.chatReport |
"full" |
Report format sent to Chat |
devManager.quality.chatPrompt |
"" |
Custom prompt for Chat report |
Quality Hub — Cloud Providers (example: SonarCloud)
Each cloud provider follows this pattern:
devManager.quality.<provider>.enabled boolean
devManager.quality.<provider>.token string
devManager.quality.<provider>.<key> string (provider-specific)
Providers: sonarcloud, snyk, codecov, codeql, codacy, codeclimate, coveralls, deepsource, codeant, aikido, coderabbit, greptile, cubic, qodo, qlty, semgrepCloud
Quality Hub — Built-in Checks (example: lineCount)
Each built-in check follows this pattern:
devManager.quality.builtin.<check>.enabled boolean (default: true)
devManager.quality.builtin.<check>.warnAt number (threshold)
devManager.quality.builtin.<check>.failAt number (threshold)
Checks: lineCount, functionLength, complexity, fileSize, longLines, importDepth, directoryDepth, dependencyCount, todoCount, commentedCode, duplicateFiles, testRatio, mixedIndent, encoding, secretLeaks, debugLeaks, gitignoreCheck, magicNumbers, parameterCount, barrelFiles, couplingMetrics, crossLayerImports, componentInventory, projectStructure, heavyImports, anyCoverage, jsdocCoverage, returnTypes, reactHookRules, asyncAwaitMisuse, errorHandling, accessibilityCheck, lcovCoverage, stryker, actionsAudit, emptyTests, envConsistency, lockfileSync, nodeVersionConsistency, readmeCheck, changelogCheck, codeownersCheck, tscCheck, pkgAudit, outdatedDeps, licenseCheck, hadolint, shellcheck, golangciLint, bandit, semgrep, gitleaks, osvScanner, ruffCheck, mypyCheck, clippy, govulncheck, rubocop, brakeman, phpstan, ktlint, detekt, dotnetFormat, swiftlint, dartAnalyze, ansibleLint, helmLint, sqlfluff, markdownlint, checkov, spectral, jscpd, knip, dependencyCruiser, bearer
Keybindings
All shortcuts use the Ctrl+M chord prefix (no conflicts with Cursor IDE built-ins).
| Shortcut |
Action |
Ctrl+M M |
Open main menu |
Ctrl+M S |
Start all servers |
Ctrl+M Q |
Stop all servers |
Ctrl+M R |
Restart all servers |
Ctrl+M F |
Run all Quality Hub checks |
Ctrl+M N |
Run npm/package script |
Ctrl+M I |
Create GitHub Issue |
Required
| Tool |
Version |
Purpose |
| VS Code or Cursor |
^1.85 |
Host IDE |
| Node.js |
>= 18 |
Extension runtime |
Optional
| Tool |
Install |
Enables |
gh CLI |
cli.github.com → gh auth login |
GitHub Issues, PRs, CI Actions |
act |
winget install nektos.act / brew install act |
Run GitHub Actions locally |
| Docker Desktop |
docker.com/products/docker-desktop |
Container management, Bearer scan |
semgrep |
pip install semgrep |
SAST security scanning |
trivy |
winget install AquaSecurity.Trivy / brew install trivy |
CVE vulnerability scanning |
gitleaks |
winget install gitleaks / brew install gitleaks |
Secret scanning |
osv-scanner |
winget install osv-scanner / brew install osv-scanner |
Cross-language dependency CVE scanning |
hadolint |
winget install hadolint / brew install hadolint |
Dockerfile linting |
shellcheck |
winget install koalaman.shellcheck / apt install shellcheck |
Shell script linting |
golangci-lint |
brew install golangci-lint / winget install golangci-lint |
Go linting |
govulncheck |
go install golang.org/x/vuln/cmd/govulncheck@latest |
Go module vulnerability scanning |
bandit |
pip install bandit |
Python security analysis |
ruff |
pip install ruff / cargo install ruff |
Python linting, formatting, type checking |
mypy |
pip install mypy |
Python static type checking |
phpstan |
composer require --dev phpstan/phpstan |
PHP static analysis |
rubocop |
gem install rubocop |
Ruby style and linting |
brakeman |
gem install brakeman |
Rails security analysis |
ktlint |
brew install ktlint / scoop install ktlint |
Kotlin style linter |
detekt |
brew install detekt |
Kotlin static analysis |
dotnet format |
built-in with .NET SDK |
C# formatting and Roslyn analyzers |
swiftlint |
brew install swiftlint |
Swift style and conventions |
dart analyze |
built-in with Dart SDK |
Dart/Flutter static analysis |
ansible-lint |
pip install ansible-lint |
Ansible playbook linting |
helm lint |
built-in with Helm CLI |
Helm chart validation |
bearer |
brew install bearer/tap/bearer (macOS/Linux only) |
Sensitive data flow analysis |
jscpd |
npm i -D jscpd |
Copy-paste detection |
knip |
npm i -D knip |
Dead code detection (JS/TS) |
dependency-cruiser |
npm i -D dependency-cruiser |
Circular dependency detection (JS/TS) |
eslint-plugin-security |
npm i -D eslint-plugin-security |
JS/TS security lint rules |
stryker |
npm i -D @stryker-mutator/core |
Mutation testing (JS/TS) |
yamllint |
pip install yamllint |
YAML syntax and style |
spectral |
npm i -g @stoplight/spectral-cli |
OpenAPI / AsyncAPI linting |
checkov |
pip install checkov |
IaC security scanning |
sqlfluff |
pip install sqlfluff |
SQL file linting |
markdownlint-cli2 |
npm i -g markdownlint-cli2 |
Markdown style |
Development
# Install dependencies
npm install
# Compile TypeScript
npm run compile
# Watch mode (recompiles on save)
npm run watch
# Lint
npm run lint
# Launch Extension Development Host (F5 in VS Code)
# Press F5 — opens a new VS Code window with the extension loaded
# Package .vsix
npx @vscode/vsce package
# Install locally
cursor --install-extension snakeflow-dev-manager-0.3.11.vsix --force
code --install-extension snakeflow-dev-manager-0.3.11.vsix --force
Publishing to Marketplace
# Windows PowerShell — PAT stored in .env
$env:VSCE_PAT="<token>"; npx @vscode/vsce publish --pat $env:VSCE_PAT
Questions, feedback, or bug reports — feel free to reach out:
License
Proprietary — see LICENSE.
Free to install and use. Redistribution, modification, forking, and commercial resale are prohibited.
© 2026 Serhii Hifes. All rights reserved.
