You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've been quietly working on something we think could make dependency risk a lot harder to miss: DevGuard as a companion for VS Code, an extension that brings DevGuard's dependency-risk insights and more directly into your editor, right where you're already looking!
This discussion is both an announcement and a question. We built a proof of concept, we think it's useful, but we want to hear from you before we invest further.
⚠️ It's a proof of concept
To be upfront: this is not production-ready. It's an experiment we built to test how DevGuard can help you even more early on in your development phases. It works today, but expect rough edges, and treat it as something to try out rather than something to rely on.
That's exactly why we're writing this: we want your feedback before deciding whether to keep going.
What it does
Here's the full feature set:
Inline features for package.json and go.mod
Works without signing in — inline insights use DevGuard's public package-inspection endpoint out of the box.
Inline risk badges — color-coded, end-of-line, per dependency, updated as you edit.
Rich hover cards showing:
⚠ Malicious package detection — flagged against DevGuard's malicious-package feed
Known vulnerabilities — CVE count for the resolved version, with IDs and fixed versions
Release age — when the resolved version was published
Transitive dependencies — how many packages it pulls in, computed from package-lock.json
OpenSSF Scorecard — score plus the weakest checks behind it
Transitive risk breakdown — once connected to an asset, direct vs. transitive risk shown separately (e.g. 0 vulns (3 in deps))
Per-section summaries — each dependency block gets a rollup on its header line, e.g. Σ 2 vulns · avg age 1.4y · avg scorecard 5.8.
Optional asset overlay — connect a personal access token to pick an organization/project/asset and see that asset's real findings overlaid on top.
Dependency proxy setup — one command to point your project's npm registry at DevGuard's proxy, blocking malicious packages at install time.
SBOM tooling — view the connected asset's CycloneDX SBOM as a read-only document, or generate and upload one by running devguard-scanner sca directly from the command palette.
Git hook automation — bootstrap your local repo with a pre-commit hook for secret scanning, with a matching command to remove them again.
Automatic SAST scanning — optionally scan files for issues on save.
Accurate version resolution — resolves each dependency to a concrete version using package-lock.json first, then node_modules, then the package.json range, so the risk data matches what you're actually running.
Configurable — toggle inline decorations, switch between compact and full verbosity, tune request concurrency/timeouts/cache TTL, and point at your own DevGuard backend.
Security-conscious by design — your PAT is an ECDSA private key stored only in VS Code Secret Storage (never in settings, workspace state, or logs); requests are signed with RFC 9421 HTTP Message Signatures (ECDSA P‑256) and only sent to your configured host; the extension warns before connecting to a remote backend over plain HTTP.
Full command list
Command
Description
DevGuard: Connect (Personal Access Token)
Store and validate a PAT
DevGuard: Disconnect
Remove the stored token and asset selection
DevGuard: Select Organization / Project / Asset
Pick the asset to overlay
DevGuard: Refresh Dependency Insights
Clear the cache and re-fetch for visible package.json files
DevGuard: Set Up Dependency Proxy (.npmrc)
Route the project's npm registry through DevGuard's dependency proxy
Run the devguard-scanner sca CLI, upload the SBOM, and refresh insights
DevGuard: Setup Pre-Commit-Hooks for git
Bootstrap your local .git folder with a secret-scanning pre-commit hook
DevGuard: Remove Pre-Commit-Hooks for git
Remove the hooks previously set up by DevGuard
Note: pnpm and yarn lockfiles aren't supported for version resolution yet — those fall back to node_modules or the declared range, and the transitive count shows as unavailable.
How to install and try it
Download DevGuard-VS-Code-Companion.vsix from our release notes.
In VS Code, open the Extensions tab (Ctrl+Shift+X / Cmd+Shift+X), click ... in the top right, and choose Install from VSIX. Select the downloaded file.
Open a project with a package.json or go.mod. Inline badges appear automatically — no sign-in required, this is powered by DevGuard's public package-inspection endpoint.
(Optional) Run DevGuard: Connect (Personal Access Token) and paste your PAT. It's validated against the backend and stored in VS Code Secret Storage.
(Optional) Run DevGuard: Select Organization / Project / Asset (or click the status-bar item) to overlay that asset's real findings on top of the inline insights.
We want to know: is this worth continuing?
We'd like your honest take on whether our efforts paid off.
Some questions we're especially curious about:
Would you actually use this in your day-to-day workflow?
Is the inline-badge + hover-card approach the right one, or would you want the information surfaced differently?
What's missing before this would be something you'd trust and rely on?
Try it out, kick the tires, break it if you can — and let us know what you think.
Should the development of the DevGuard VS-Code Extension continue?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
We've been quietly working on something we think could make dependency risk a lot harder to miss: DevGuard as a companion for VS Code, an extension that brings DevGuard's dependency-risk insights and more directly into your editor, right where you're already looking!
This discussion is both an announcement and a question. We built a proof of concept, we think it's useful, but we want to hear from you before we invest further.
To be upfront: this is not production-ready. It's an experiment we built to test how DevGuard can help you even more early on in your development phases. It works today, but expect rough edges, and treat it as something to try out rather than something to rely on.
That's exactly why we're writing this: we want your feedback before deciding whether to keep going.
What it does
Here's the full feature set:
package.jsonandgo.modpackage-lock.json0 vulns (3 in deps))Σ 2 vulns · avg age 1.4y · avg scorecard 5.8.devguard-scanner scadirectly from the command palette.package-lock.jsonfirst, thennode_modules, then thepackage.jsonrange, so the risk data matches what you're actually running.compactandfullverbosity, tune request concurrency/timeouts/cache TTL, and point at your own DevGuard backend.Full command list
DevGuard: Connect (Personal Access Token)DevGuard: DisconnectDevGuard: Select Organization / Project / AssetDevGuard: Refresh Dependency Insightspackage.jsonfilesDevGuard: Set Up Dependency Proxy (.npmrc)DevGuard: View SBOM for Selected AssetDevGuard: Generate SBOM (Run devguard-scanner SCA)devguard-scanner scaCLI, upload the SBOM, and refresh insightsDevGuard: Setup Pre-Commit-Hooks for git.gitfolder with a secret-scanning pre-commit hookDevGuard: Remove Pre-Commit-Hooks for gitNote: pnpm and yarn lockfiles aren't supported for version resolution yet — those fall back to
node_modulesor the declared range, and the transitive count shows as unavailable.How to install and try it
DevGuard-VS-Code-Companion.vsixfrom our release notes.Ctrl+Shift+X/Cmd+Shift+X), click...in the top right, and choose Install from VSIX. Select the downloaded file.package.jsonorgo.mod. Inline badges appear automatically — no sign-in required, this is powered by DevGuard's public package-inspection endpoint.DevGuard: Connect (Personal Access Token)and paste your PAT. It's validated against the backend and stored in VS Code Secret Storage.DevGuard: Select Organization / Project / Asset(or click the status-bar item) to overlay that asset's real findings on top of the inline insights.We want to know: is this worth continuing?
We'd like your honest take on whether our efforts paid off.
Some questions we're especially curious about:
Try it out, kick the tires, break it if you can — and let us know what you think.
1 vote ·
Beta Was this translation helpful? Give feedback.
All reactions