v10.5.0 — one-click quick-fix lightbulb
[10.5.0] - 2026-04-21
The lightbulb release. Hover on a Caspian finding, press Ctrl+. (or click the yellow lightbulb), and get a deterministic one-click fix for the 13 most common mechanical remediations — no AI round-trip, no waiting on a consent dialog, no spend on provider tokens.
Added
- src/codeActionFixes.ts — pure-function fix registry. Each entry takes a minimal
DocumentView+ the issue's line/column and returns aFixResult(edits + title). Novscodeimport, fully unit-testable. - src/codeActionProvider.ts — thin
vscode.CodeActionProviderwrapper that convertsFixResults intovscode.CodeActionquick-fixes. Registered for every enabled language plusdockerfile,yaml,terraform, and glob patterns for**/Dockerfile/**/*.tf/**/*.tfvars/**/*.hcl/**/*.yaml. - 13 mechanical fixes across every major rule family:
- Kubernetes —
K8S001flipprivileged: true→false,K8S002removehostNetwork: trueline,K8S003removehostPID/hostIPC: trueline,K8S004fixrunAsUser: 0→runAsUser: 1000ORallowPrivilegeEscalation: true→false. - Terraform —
TF002flipacl = "public-read"to"private",TF004flippublicly_accessible = true→false. - JWT —
JWT002insert{ algorithms: ['RS256'] }as third arg tojwt.verify(token, key),JWT006removeignoreExpiration: trueor flipverify_exp=False→True. - Python deserialisation —
DESER003renameyaml.unsafe_load → yaml.safe_load,DESER004renameyaml.load( → yaml.safe_load((skips ifSafeLoaderalready specified). - TLS —
ENC004fliprejectUnauthorized: false→true. - Dockerfile —
DOCKER008comment-outHEALTHCHECK NONE(recoverable; doesn't delete). - CORS —
CORS001replaceorigin: '*'withorigin: false(reject by default; user adds allow-list after).
- Kubernetes —
- 21 unit tests (src/tests/codeActionFixes.test.ts) exercising every fix — happy path, shape-mismatch returns null, out-of-bounds tolerance, "already-safe" suppression.
Why deterministic text-only fixes
The existing Caspian Security: Fix Issue with AI command handles the ambiguous cases (which DOMPurify call? what's the right Zod schema?) and has a consent dialog for good reason. These 13 fixes are the cases where the right answer is unambiguous — privileged: true has exactly one correct remediation, and it's privileged: false. Showing a lightbulb cuts the friction to a single keystroke for the 80% of findings that don't need judgment.
How it shows up in VS Code
- Scan runs, diagnostic appears with the usual
[Category] RULE_CODE: messageformat. - VS Code displays a yellow lightbulb in the gutter; clicking it (or
Ctrl+.) lists the fix with a concrete title (Set privileged: false,Remove hostNetwork: true, etc.). - Applying triggers a
WorkspaceEdit— instant, reversible via undo. - The fix is marked
isPreferred, so "Apply quick fix" /Ctrl+.→ Enter selects it by default.
Changed
- Test suite: 989 → 1010 (+21). Rules unchanged at 295+.
- src/extension.ts activates the provider once via
registerCaspianCodeActionProvider(context, enabledLanguages).
Notes
- The provider is conservative: every fix returns null if the matched line's shape doesn't exactly fit the expected pattern. False "auto-fix" is worse than no auto-fix.
- The AI-fix path is untouched. Users still get
Caspian Security: Fix Issue with AIfor everything these mechanical fixes don't cover.