Yagaan SAST

Retrieve and explain the results of a Yagaan source code security scan in order to quickly identify and fix vulnerabilities. This plugin allows to connects to the Pradeo Scan Server to provide detected security vulnerabilities as warnings.

You therefore need an account on a Pradeo Scan Server, either on-premise or as a service (https://www.pradeo.com). You'll then attach your workspace to a previously scanned project (using CI pipeline for example) in order to retrieve and synchronize detected issues with your workspace.

See https://www.pradeo.com

Quickstart

Setting up Connection and Authentication

First, ensure that you have configured the connection to the scan server in your VSCode settings. We recommend using a Personal Access Token for authentication. You can create this token in your account page of the scan server.

Attaching to a Project

Once configured, you're ready to bind the current VSCode workspace to a remotely scanned project.

1. Run Attach to Project Command: Launch the Yagaan: Attach to Project command

2. Select Credentials Method: As you haven't been authenticated yet, you'll be prompted to enter your credentials (token or username/password).
3. Choose a Project: Look through available projects on the scan server and pick the one that matches your current workspace.

After attaching to the project, explore the detected vulnerabilities to identify potential security issues in your codebase.

Requirements

You need a Pradeo Scan Server, either on-premise or as a service. See https://www.pradeo.com.

Features

Vulnerabilies explanation and resolution

Extension help developers to understand the security issues found within their code. Each identified vulnerability is accompanied by an interactive diagnostic, detailing the nature of the issue, its causes, and its potential exploitation flow.

In addition to understanding the vulnerabilities, the extension provides actionable remediation guidance and some examples (if any) extracted from the scanned project itself.

Risk assessment

The Risk Assessment feature focuses on prioritization by evaluating each identified vulnerability based on factors such as severity, exploitability, and potential impact on your application and its users. This assessment assigns a CVSS score to each vulnerability, allowing developers to quickly identify which issues require immediate attention and which can be scheduled for future fixes.

Action plan

The Risk Assessment view lets you create a straightforward action plan that all developers with access to the project's scan can share.

By having a clear list of prioritized vulnerabilities to work on, the team can focus their efforts together on the most critical risks, making it easier to boost the project's security while working as a team.

Status of a vulnerability

Each vulnerability has a status which is obtained from its potential action plan and of the current workspace state:

• Todo: default status of any issue
• Deprecated: an issue which is not consistent with your workspace state (changed or deleted code).
• In progress: someone in the dev team is working on of the issue.
• Done: issue has been fixed.
• Ignored: won't fix the issue.

You can use those status to filter the risk assessment view:

• Planned: show issues that have been planned to an action plan.
• Closed: show issues that have a status Done or Ignored.
• Deprecated: show issues that can't be mapped to source code in your workspace state.

Release Notes

1.0.0

Initial release of the extension