Skip to content
Caspian-Explorer edited this page Feb 7, 2026 · 1 revision

FAQ

Troubleshooting

Extension not activating

  • Ensure you have a supported file open (JavaScript, TypeScript, Python, Java, C#, PHP, Go, or Rust)
  • Reload the VS Code window: Ctrl+Shift+P > "Developer: Reload Window"
  • Check the Output panel (Ctrl+Shift+U) and select "Caspian Security" from the dropdown for error messages

No issues appearing

  • Verify Auto Check is enabled: Settings > caspianSecurity.autoCheck
  • Run a manual check: Ctrl+Shift+P > "Caspian Security: Check Current File"
  • Confirm the file language is in caspianSecurity.enabledLanguages
  • Check that the relevant category is not disabled in settings
  • Check if the issue is suppressed in .caspianignore

Too many diagnostics

  • Increase the severity threshold to error to see only critical issues: caspianSecurity.severity: "error"
  • Disable informational categories you don't need (e.g., Business Logic, Logging & Monitoring)
  • Informational rules fire once per file to minimize noise
  • Use .caspianignore to suppress confirmed false positives

AI Fix not working

  • Ensure you've configured an AI provider: Ctrl+Shift+P > "Caspian Security: Configure AI Fix Provider"
  • Verify your API key is valid and has sufficient credits
  • Check the Output panel for error messages from the AI provider
  • If the fix is incorrect, undo with Ctrl+Z and try again -- AI responses vary between calls

SARIF upload failing on GitHub

  • Ensure the file is valid JSON (open it in VS Code and check for syntax errors)
  • GitHub requires the repository to have GitHub Advanced Security enabled for private repos
  • Public repos can upload SARIF without additional configuration
  • Check that the artifactLocation.uri paths match your repository structure

Common Questions

Which languages are supported?

JavaScript, TypeScript, Python, Java, C#, PHP, Go, and Rust. The extension activates automatically when you open a file in any of these languages.

How many rules are there?

133 rules across 14 security categories. 74 are code-detectable (pattern-matched) and 59 are informational (contextual reminders). See the Rule Reference for the complete list.

Are API keys stored securely?

Yes. API keys for AI providers (Anthropic, OpenAI, Google) are stored in the OS keychain via VS Code's SecretStorage API. They never appear in settings.json or any configuration file.

Does the extension send my code to external services?

Only when you explicitly click AI Fix. The extension sends the relevant function scope and issue details to your configured AI provider (Anthropic, OpenAI, or Google) to generate a fix. No code is sent during regular scanning -- all pattern matching happens locally.

What's the performance impact?

  • Auto Check uses a 1-second debounce, so it only runs after you stop typing
  • Check on Save runs once per save
  • Pattern matching is lightweight regex-based analysis -- no AST parsing
  • Workspace scans show a progress bar and can be cancelled at any time

Can I use this in CI/CD?

The extension itself runs inside VS Code. However, you can:

  1. Export results as SARIF and upload to GitHub Code Scanning
  2. Export as JSON or CSV for custom pipeline integrations
  3. Use the built-in dependency check CLI: npm run check-updates

How does confidence scoring work?

The extension uses lightweight regex heuristics to classify variable sources for specific rule types (secrets and SQL queries). It only shows a confidence badge when the heuristic is confident. See Confidence Scoring for details.

Can I share ignore decisions with my team?

Yes. The .caspianignore file is a plain text file in the workspace root. Commit it to version control and your team shares the same ignore list. See Caspianignore for the file format and workflow.

How do I report a false positive?

  1. Click Ignore on the issue and provide a reason
  2. If you believe the rule itself is too broad, open an issue on GitHub with the rule code, a code snippet, and why it's a false positive

How do I request a new rule?

Open an issue on GitHub with:

  • The vulnerability or pattern you want detected
  • A code example that should trigger the rule
  • The language(s) it applies to
  • Suggested severity (Error, Warning, Info)

Still Need Help?

Clone this wiki locally