Skip to content

Commit 4997532

Browse files
authored
Merge pull request #1 from l3montree-dev/git-hooks-and-inline-features
Git hooks and inline features
2 parents bfa3d05 + e310580 commit 4997532

22 files changed

Lines changed: 1904 additions & 550 deletions

.github/workflows/release.yml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
name: Build and Release VS Code Extension
2+
3+
on:
4+
push:
5+
tags:
6+
- "v*"
7+
8+
permissions:
9+
contents: write
10+
11+
jobs:
12+
build-and-release:
13+
runs-on: ubuntu-latest
14+
15+
steps:
16+
- name: Checkout code
17+
uses: actions/checkout@v4
18+
with:
19+
fetch-depth: 0
20+
persist-credentials: false
21+
22+
- name: Setup Node.js
23+
uses: actions/setup-node@v4
24+
with:
25+
node-version: 20
26+
cache: npm
27+
28+
- name: Install dependencies
29+
run: npm ci
30+
31+
- name: Install VSCE
32+
run: npm install -g @vscode/vsce
33+
34+
- name: Package extension
35+
run: vsce package
36+
37+
- name: Rename VSIX
38+
id: vsix
39+
run: |
40+
file=$(ls *.vsix | head -n1)
41+
mv "$file" DevGuard-VS-Code-Companion.vsix
42+
echo "file=DevGuard-VS-Code-Companion.vsix" >> "$GITHUB_OUTPUT"
43+
44+
- name: Create GitHub Release
45+
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
46+
with:
47+
files: ${{ steps.vsix.outputs.file }}
48+
generate_release_notes: true

README.md

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,9 @@
44
> **Proof of Concept** This integration is not yet production-ready. It is intended for experimentation and feedback only.
55
66

7-
Inline npm dependency-risk insights in your `package.json`, powered by [DevGuard](https://devguard.org).
7+
Inline dependency risk insights for npm and go (malicious flag, known vulnerabilities, release age, transitive dependency count and OpenSSF scorecard), dependency proxy setup, Git-hooks setup and background SAST scan on-save. Powered by [DevGuard](https://devguard.org).
88

9-
While you edit `package.json`, each dependency gets a **color-coded** end-of-line badge (red = malicious / low scorecard, amber = vulnerabilities / weak scorecard / stale, green = clean) and a rich hover card showing:
9+
While you edit `package.json` and `go.mod`, each dependency gets a **color-coded** end-of-line badge (red = malicious / low scorecard, amber = vulnerabilities / weak scorecard / stale, green = clean) and a rich hover card showing:
1010

1111
- **⚠ malicious** — whether the package version is flagged in DevGuard's malicious-package feed
1212
- **known vulnerabilities** — count of CVEs affecting the resolved version (with IDs and fixed versions)
@@ -21,12 +21,20 @@ The inline insights work **without signing in** — they use DevGuard's public p
2121

2222
## Requirements
2323

24-
- A DevGuard backend. For local development this defaults to `http://localhost:8080` (configurable via `devguard.apiUrl`).
25-
- For asset selection / SBOM / asset overlays: a DevGuard **personal access token** (PAT).
24+
- Docker
25+
- A DevGuard backend
26+
- For asset selection / SBOM / asset overlays: a DevGuard **personal access token** (PAT)
2627

2728
## Getting started
2829

29-
1. Open a project with a `package.json`. Badges appear automatically (no sign-in required).
30+
### Installation
31+
32+
1. Download the `DevGuard-VS-Code-Companion.vsix` from our [release notes](https://github.com/l3montree-dev/devguard-vs-code-extension/releases).
33+
2. Open VS-Code and import the downloaded file to VS-Code under the `"Extensions-Tab"` (`Ctrl+K Ctrl+S (Windows/Linux)` or `Cmd+K Cmd+S (Mac)`) > `"..."` > `"Install from VSIX"`. Alternatively drag-and-drop the file into the extension-tab.
34+
35+
### Using the extension
36+
5
37+
1. Open a project with a `package.json` or `go.mod`. Badges appear automatically (no sign-in required).
3038
2. Run **DevGuard: Connect (Personal Access Token)** and paste your PAT. It is validated against the backend and stored in VS Code Secret Storage.
3139
3. Run **DevGuard: Select Organization / Project / Asset** (or click the status-bar item) to connect the workspace to an asset. Hovers then show that asset's open risks per package.
3240

@@ -37,10 +45,12 @@ The inline insights work **without signing in** — they use DevGuard's public p
3745
| `DevGuard: Connect (Personal Access Token)` | Store and validate a PAT. |
3846
| `DevGuard: Disconnect` | Remove the stored token and asset selection. |
3947
| `DevGuard: Select Organization / Project / Asset` | Pick the asset to overlay. |
40-
| `DevGuard: Refresh Dependency Insights` | Clear the cache and re-fetch for visible `package.json` files. |
48+
| `DevGuard: Refresh Dependency Insights` | Clear the cache and re-fetch for visible `package.json` and `go.mod` files. |
4149
| `DevGuard: Set Up Dependency Proxy (.npmrc)` | Point the project's npm registry at DevGuard's dependency proxy, which blocks malicious packages at install time. |
4250
| `DevGuard: View SBOM for Selected Asset` | Open the connected asset's CycloneDX SBOM as a read-only document. |
4351
| `DevGuard: Generate SBOM (Run devguard-scanner SCA)` | Run the `devguard-scanner sca` CLI on the project to generate and upload an SBOM to the selected asset, then refresh insights. |
52+
| `DevGuard: Setup Pre-Git-Commit-Hooks` | Bootstraps your locale `.git` folder with a pre-commit-hook for secret-scanning |
53+
| `DevGuard: Removes Pre-Git-Commit-Hooks that were previously setup by DevGuard` | Removes the pre-commit-hooks that were previously set up using the `devguard.setupGitHooks` command |
4454

4555
## Settings
4656

@@ -53,6 +63,7 @@ The inline insights work **without signing in** — they use DevGuard's public p
5363
| `devguard.request.timeoutMs` | `8000` | Per-request timeout. |
5464
| `devguard.cache.ttlMinutes` | `720` | How long package results are cached. |
5565
| `devguard.scannerPath` | `devguard-scanner` | Path to the `devguard-scanner` CLI used by "Generate SBOM". |
66+
| `devguard.sast.enabled` | `true` | Enables automatic sast-scans for file on save |
5667

5768
## How the version is resolved
5869

@@ -67,4 +78,9 @@ For accurate per-version data, the extension resolves each dependency to a concr
6778

6879
## Privacy
6980

70-
Package names and versions from your `package.json` are sent to the configured DevGuard backend to look up risk data. With a local backend (`localhost:8080`) this stays on your machine.
81+
Package names and versions from your `package.json` and `go.mod` are sent to the configured DevGuard backend to look up risk data. With a local backend (`localhost:8080`) this stays on your machine.
82+
83+
84+
## Let us know what you think
85+
86+
If you have question, comments or feedback, you can join our [discussion on GitHub](https://github.com/l3montree-dev/devguard/discussions/2207).

package-lock.json

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
{
22
"name": "devguard",
33
"displayName": "DevGuard",
4-
"description": "Inline npm dependency risk insights (malicious flag, known vulnerabilities, release age, transitive dependency count and OpenSSF scorecard) powered by DevGuard.",
5-
"version": "0.0.1",
4+
"description": "Inline dependency risk insights for npm and go (malicious flag, known vulnerabilities, release age, transitive dependency count and OpenSSF scorecard), dependency proxy setup, Git-hooks setup and background SAST scan on-save. Powered by DevGuard.",
5+
"version": "0.1.1",
66
"publisher": "l3montree",
77
"engines": {
88
"vscode": "^1.120.0"
@@ -23,7 +23,8 @@
2323
"activationEvents": [
2424
"onLanguage:json",
2525
"onLanguage:jsonc",
26-
"workspaceContains:**/package.json"
26+
"workspaceContains:**/package.json",
27+
"workspaceContains:**/go.mod"
2728
],
2829
"main": "./out/extension.js",
2930
"contributes": {
@@ -56,14 +57,22 @@
5657
{
5758
"command": "devguard.generateSbom",
5859
"title": "DevGuard: Generate SBOM (Run devguard-scanner SCA)"
60+
},
61+
{
62+
"command": "devguard.setupGitHooks",
63+
"title": "DevGuard: Setup Pre-Commit-Hooks for git"
64+
},
65+
{
66+
"command": "devguard.removeGitHooks",
67+
"title": "DevGuard: Removes Pre-Commit-Hooks for git that were previously setup by DevGuard"
5968
}
6069
],
6170
"configuration": {
6271
"title": "DevGuard",
6372
"properties": {
6473
"devguard.apiUrl": {
6574
"type": "string",
66-
"default": "http://localhost:8080",
75+
"default": "http://api.main.devguard.org",
6776
"markdownDescription": "Base URL of the DevGuard backend. Only requests to this host are signed with your personal access token."
6877
},
6978
"devguard.inlineDecorations.enabled": {
@@ -107,6 +116,11 @@
107116
"type": "string",
108117
"default": "devguard-scanner",
109118
"description": "Path to the devguard-scanner CLI used by 'Generate SBOM'. Must be on PATH or an absolute path."
119+
},
120+
"devguard.sast.enabled": {
121+
"type": "boolean",
122+
"default": true,
123+
"description": "Enable SAST and IaC scanning."
110124
}
111125
}
112126
},

src/api/types.ts

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -115,10 +115,12 @@ export interface DependencyVulnFlat {
115115
// --- View model the UI consumes ---
116116

117117
export type DepType =
118-
| 'dependencies'
119-
| 'devDependencies'
120-
| 'optionalDependencies'
121-
| 'peerDependencies';
118+
| 'dependencies'
119+
| 'devDependencies'
120+
| 'optionalDependencies'
121+
| 'peerDependencies'
122+
| 'goDirectDependency'
123+
| 'goIndirectDependency';
122124

123125
export type VersionSource = 'lockfile' | 'node_modules' | 'range';
124126

@@ -163,3 +165,10 @@ export function toNpmPurl(name: string, version: string): string {
163165
export function encodePurlForPath(purl: string): string {
164166
return encodeURIComponent(purl);
165167
}
168+
169+
// Add this alongside toNpmPurl in api/types.ts:
170+
// pkg:golang/github.com/gin-gonic/gin@v1.9.1
171+
export function toGolangPurl(modulePath: string, version: string): string {
172+
return `pkg:golang/${modulePath}@${version}`;
173+
}
174+

0 commit comments

Comments
 (0)