83
ContractGuard is a VS Code extension for finding security and reliability issues in code, configuration files, queries, Dockerfiles, and dependency files directly inside the editor. It focuses on practical analysis during development without requiring external services or separate scanning workflows.
The extension supports scanning both the current file and the full workspace. Findings are shown as inline diagnostics in the editor and inside a dedicated explorer view so issues can be reviewed and navigated efficiently. ContractGuard also preserves existing workspace findings during incremental rescans of saved files to avoid losing previous results.
ContractGuard checks for a wide range of problems across source code and project configuration files, including JSON schema drift, SQL query risks, regex patterns that may lead to ReDoS issues, hardcoded secrets, PII exposure, insecure configuration settings, Dockerfile security problems, and dependency vulnerabilities in Python and Node.js projects.
The extension includes SARIF and JSON export support for external tooling and CI workflows. It also provides scan details and runtime information through the VS Code output channel along with an overall security score shown in the status bar.
Scan the current file
Scan the full workspace
Show findings in a dedicated explorer view
Publish inline diagnostics in the editor
Export findings as SARIF
Export findings as JSON
Disable selected rules from diagnostics or findings
Preserve workspace findings during incremental rescans
Show scan and runtime details in the output channel
Display an overall security score in the status bar
Filter low confidence fixture, documentation, and test findings by default
Continue scans even if one analyzer encounters a runtime issue
JSON schema drift including type mismatches, nullable inconsistencies, and optional field differences
SQL query risks such as unsafe patterns and destructive queries without safeguards
Regex complexity and potential ReDoS risks
Hardcoded secrets including API keys, tokens, private keys, database URLs, and JWTs
PII exposure including emails, phone numbers, credit card patterns, SSNs, and dates of birth
Insecure configuration such as debug enabled deployments, weak defaults, open CORS policies, and disabled TLS
Dockerfile issues including root execution, floating image tags, embedded secrets, and SSH exposure
Dependency vulnerabilities in Python and Node.js dependency files
ContractGuard: Scan Workspace
ContractGuard: Scan Current File
ContractGuard: Export SARIF
ContractGuard: Export Findings JSON
ContractGuard: Clear Findings
ContractGuard: Install Python Runtime Dependencies
ContractGuard: Show Output
contractguard.pythonPath
contractguard.scanOnSave
contractguard.scanDebounceMs
contractguard.scanOnSaveScope
contractguard.scanTimeoutMs
contractguard.enabledAnalyzers
contractguard.disabledRules
contractguard.minimumSeverity
contractguard.minimumConfidence
contractguard.includeFixtures
contractguard.rulesDirectory
contractguard.sqlExplainDatabase
Analysis runs locally
Default minimum confidence is set to medium
Use low confidence mode for broader audit style scans
Fixture, documentation, and test findings can be included through settings
SARIF export can be used with CI and external security tooling
Built with