-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
- Ensure you have a supported file open (JavaScript, TypeScript, Python, Java, C#, PHP, Go, or Rust)
- Reload the VS Code window:
Ctrl+Shift+P> "Developer: Reload Window" - Check the Output panel (
Ctrl+Shift+U) and select "Caspian Security" from the dropdown for error messages
- Verify Auto Check is enabled: Settings >
caspianSecurity.autoCheck - Run a manual check:
Ctrl+Shift+P> "Caspian Security: Check Current File" - Confirm the file language is in
caspianSecurity.enabledLanguages - Check that the relevant category is not disabled in settings
- Check if the issue is suppressed in
.caspianignore
- Increase the severity threshold to
errorto see only critical issues:caspianSecurity.severity: "error" - Disable informational categories you don't need (e.g., Business Logic, Logging & Monitoring)
- Informational rules fire once per file to minimize noise
- Use
.caspianignoreto suppress confirmed false positives
- Ensure you've configured an AI provider:
Ctrl+Shift+P> "Caspian Security: Configure AI Fix Provider" - Verify your API key is valid and has sufficient credits
- Check the Output panel for error messages from the AI provider
- If the fix is incorrect, undo with
Ctrl+Zand try again -- AI responses vary between calls
- Ensure the file is valid JSON (open it in VS Code and check for syntax errors)
- GitHub requires the repository to have GitHub Advanced Security enabled for private repos
- Public repos can upload SARIF without additional configuration
- Check that the
artifactLocation.uripaths match your repository structure
JavaScript, TypeScript, Python, Java, C#, PHP, Go, and Rust. The extension activates automatically when you open a file in any of these languages.
133 rules across 14 security categories. 74 are code-detectable (pattern-matched) and 59 are informational (contextual reminders). See the Rule Reference for the complete list.
Yes. API keys for AI providers (Anthropic, OpenAI, Google) are stored in the OS keychain via VS Code's SecretStorage API. They never appear in settings.json or any configuration file.
Only when you explicitly click AI Fix. The extension sends the relevant function scope and issue details to your configured AI provider (Anthropic, OpenAI, or Google) to generate a fix. No code is sent during regular scanning -- all pattern matching happens locally.
- Auto Check uses a 1-second debounce, so it only runs after you stop typing
- Check on Save runs once per save
- Pattern matching is lightweight regex-based analysis -- no AST parsing
- Workspace scans show a progress bar and can be cancelled at any time
The extension itself runs inside VS Code. However, you can:
- Export results as SARIF and upload to GitHub Code Scanning
- Export as JSON or CSV for custom pipeline integrations
- Use the built-in dependency check CLI:
npm run check-updates
The extension uses lightweight regex heuristics to classify variable sources for specific rule types (secrets and SQL queries). It only shows a confidence badge when the heuristic is confident. See Confidence Scoring for details.
Yes. The .caspianignore file is a plain text file in the workspace root. Commit it to version control and your team shares the same ignore list. See Caspianignore for the file format and workflow.
- Click Ignore on the issue and provide a reason
- If you believe the rule itself is too broad, open an issue on GitHub with the rule code, a code snippet, and why it's a false positive
Open an issue on GitHub with:
- The vulnerability or pattern you want detected
- A code example that should trigger the rule
- The language(s) it applies to
- Suggested severity (Error, Warning, Info)
- GitHub Issues -- report bugs or request features
- GitHub Repository -- source code and documentation
Caspian Security
Run Anywhere
Features
Reference