Building ContractGuard - Bringing practical security analysis directly into VS Code

I’ve been working on ContractGuard, a local-first VS Code extension designed to make security and reliability analysis part of the normal development workflow instead of something deferred to CI pipelines or external platforms.

A lot of existing tooling is either narrowly focused, heavily cloud-dependent, or fragmented across multiple utilities. ContractGuard is an attempt to unify several common security and reliability checks into a single workflow that runs directly inside the editor.

The extension currently analyzes:

• hardcoded secrets and tokens

• dependency vulnerabilities

• risky SQL query patterns

• regex ReDoS risks

• insecure configurations

• Dockerfile issues

• JSON schema drift

• PII exposure patterns

One of the biggest priorities recently has been improving usability and workflow integration, not just adding more checks.

Recent updates include:

• inline diagnostics inside VS Code

• a dedicated findings explorer

• workspace-wide security scoring

• SARIF and JSON export support

• configurable analyzers and severity filters

• quick actions for noisy rules

• improved dependency discovery

• scan-on-save improvements

• analyzer timeout handling and resilient scan execution

The extension runs analysis locally and is designed to provide fast feedback before risky files make their way into CI, production, or public repositories.

Still early, but the direction is becoming much clearer with each iteration. I’d genuinely appreciate feedback from developers working on AppSec tooling, developer infrastructure, or local-first workflows.

Feel free to a look and review