You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+23-7Lines changed: 23 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,9 +4,9 @@
4
4
> **Proof of Concept** This integration is not yet production-ready. It is intended for experimentation and feedback only.
5
5
6
6
7
-
Inline npm dependency-risk insights in your `package.json`, powered by [DevGuard](https://devguard.org).
7
+
Inline dependency risk insights for npm and go (malicious flag, known vulnerabilities, release age, transitive dependency count and OpenSSF scorecard), dependency proxy setup, Git-hooks setup and background SAST scan on-save. Powered by [DevGuard](https://devguard.org).
8
8
9
-
While you edit `package.json`, each dependency gets a **color-coded** end-of-line badge (red = malicious / low scorecard, amber = vulnerabilities / weak scorecard / stale, green = clean) and a rich hover card showing:
9
+
While you edit `package.json` and `go.mod`, each dependency gets a **color-coded** end-of-line badge (red = malicious / low scorecard, amber = vulnerabilities / weak scorecard / stale, green = clean) and a rich hover card showing:
10
10
11
11
-**⚠ malicious** — whether the package version is flagged in DevGuard's malicious-package feed
12
12
-**known vulnerabilities** — count of CVEs affecting the resolved version (with IDs and fixed versions)
@@ -21,12 +21,20 @@ The inline insights work **without signing in** — they use DevGuard's public p
21
21
22
22
## Requirements
23
23
24
-
- A DevGuard backend. For local development this defaults to `http://localhost:8080` (configurable via `devguard.apiUrl`).
25
-
- For asset selection / SBOM / asset overlays: a DevGuard **personal access token** (PAT).
24
+
- Docker
25
+
- A DevGuard backend
26
+
- For asset selection / SBOM / asset overlays: a DevGuard **personal access token** (PAT)
26
27
27
28
## Getting started
28
29
29
-
1. Open a project with a `package.json`. Badges appear automatically (no sign-in required).
30
+
### Installation
31
+
32
+
1. Download the `DevGuard-VS-Code-Companion.vsix` from our [release notes](https://github.com/l3montree-dev/devguard-vs-code-extension/releases).
33
+
2. Open VS-Code and import the downloaded file to VS-Code under the `"Extensions-Tab"` (`Ctrl+K Ctrl+S (Windows/Linux)` or `Cmd+K Cmd+S (Mac)`) > `"..."` > `"Install from VSIX"`. Alternatively drag-and-drop the file into the extension-tab.
34
+
35
+
### Using the extension
36
+
5
37
+
1. Open a project with a `package.json` or `go.mod`. Badges appear automatically (no sign-in required).
30
38
2. Run **DevGuard: Connect (Personal Access Token)** and paste your PAT. It is validated against the backend and stored in VS Code Secret Storage.
31
39
3. Run **DevGuard: Select Organization / Project / Asset** (or click the status-bar item) to connect the workspace to an asset. Hovers then show that asset's open risks per package.
32
40
@@ -37,10 +45,12 @@ The inline insights work **without signing in** — they use DevGuard's public p
37
45
|`DevGuard: Connect (Personal Access Token)`| Store and validate a PAT. |
38
46
|`DevGuard: Disconnect`| Remove the stored token and asset selection. |
39
47
|`DevGuard: Select Organization / Project / Asset`| Pick the asset to overlay. |
40
-
|`DevGuard: Refresh Dependency Insights`| Clear the cache and re-fetch for visible `package.json` files. |
48
+
|`DevGuard: Refresh Dependency Insights`| Clear the cache and re-fetch for visible `package.json`and `go.mod`files. |
41
49
|`DevGuard: Set Up Dependency Proxy (.npmrc)`| Point the project's npm registry at DevGuard's dependency proxy, which blocks malicious packages at install time. |
42
50
|`DevGuard: View SBOM for Selected Asset`| Open the connected asset's CycloneDX SBOM as a read-only document. |
43
51
|`DevGuard: Generate SBOM (Run devguard-scanner SCA)`| Run the `devguard-scanner sca` CLI on the project to generate and upload an SBOM to the selected asset, then refresh insights. |
52
+
|`DevGuard: Setup Pre-Git-Commit-Hooks`| Bootstraps your locale `.git` folder with a pre-commit-hook for secret-scanning |
53
+
|`DevGuard: Removes Pre-Git-Commit-Hooks that were previously setup by DevGuard`| Removes the pre-commit-hooks that were previously set up using the `devguard.setupGitHooks` command |
44
54
45
55
## Settings
46
56
@@ -53,6 +63,7 @@ The inline insights work **without signing in** — they use DevGuard's public p
|`devguard.cache.ttlMinutes`|`720`| How long package results are cached. |
55
65
|`devguard.scannerPath`|`devguard-scanner`| Path to the `devguard-scanner` CLI used by "Generate SBOM". |
66
+
|`devguard.sast.enabled`|`true`| Enables automatic sast-scans for file on save |
56
67
57
68
## How the version is resolved
58
69
@@ -67,4 +78,9 @@ For accurate per-version data, the extension resolves each dependency to a concr
67
78
68
79
## Privacy
69
80
70
-
Package names and versions from your `package.json` are sent to the configured DevGuard backend to look up risk data. With a local backend (`localhost:8080`) this stays on your machine.
81
+
Package names and versions from your `package.json` and `go.mod` are sent to the configured DevGuard backend to look up risk data. With a local backend (`localhost:8080`) this stays on your machine.
82
+
83
+
84
+
## Let us know what you think
85
+
86
+
If you have question, comments or feedback, you can join our [discussion on GitHub](https://github.com/l3montree-dev/devguard/discussions/2207).
Copy file name to clipboardExpand all lines: package.json
+18-4Lines changed: 18 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
{
2
2
"name": "devguard",
3
3
"displayName": "DevGuard",
4
-
"description": "Inline npm dependency risk insights (malicious flag, known vulnerabilities, release age, transitive dependency count and OpenSSF scorecard) powered by DevGuard.",
5
-
"version": "0.0.1",
4
+
"description": "Inline dependency risk insights for npm and go (malicious flag, known vulnerabilities, release age, transitive dependency count and OpenSSF scorecard), dependency proxy setup, Git-hooks setup and background SAST scan on-save. Powered by DevGuard.",
0 commit comments