YAG-Suite Visual Studio Code Linter Plugin

Connect to the YAG-Suite Scan Server to provide detected vulnerabilities as warnings in Visual Studio Code.

This plugin requires an account on a YAG-Suite Scan Server. Vulnerabilities are fetched from that server (no local scan)

About the YAG-Suite

The YAG-Suite is a SAST product developped by YAGAAN. It scan the source code in order to spot some vulnerabilities (SQL Injection, XSS, Sensitive Data Exposure, etc.). The YAG-Suite use a Scan Server (SaaS or On-Premises) to centralize scans of applications without consuming developper's resources.

The Scan Server embedd YAG-Scanner for advanced vulnerability detection for Java and PHP languages. It also contains a selection of Open Source SAST tools for Java, JavaScript, TypeScript, PHP, C/C++, Python and Go languages.

Each scan use machine learning capabality of the YAG-Suite to remove the alerts that are false positives.

Configuration

Server connection

Connection to server is configured in the ~/.yagaan/scanner-configuration.json file

    {
       "username":"admin",
       "password": "**********",
       "url":"https://scan.yagaan.io"
    }

If your connection to the server go through a proxy:

    {
       "username":"admin",
       "password": "**********",
       "url":"https://scan.yagaan.io",
       "proxyUrl":"https://my.proxy.com:3128"
    }

Use 'proxyUser' and 'proxyPassword' in case of an authenticated proxy.

Project configuration

In order to fetch detected vulnerabilities, you need to provide the identifier of the scanned project. This can be done by creating file .yagaan/project.json in the root directory of scanned project.

    {
       "pid": 1
    }

Project identifier (pid) can be obtained from the url of the scanned project on the dashboard.

For example, the url https://scan.yagaan.io/#/project/12/dashboard correspond the project identifier pid=12.