Vulnera is a high-performance, multi-ecosystem vulnerability analysis extension for Visual Studio Code. It provides real-time security diagnostics and automated remediation for your dependency manifests using the Vulnera Language Server.
- Real-time Scanning: Instant diagnostics as you open or edit manifest files.
- Deep Integration: Powered by Tree-sitter for precise, context-aware analysis of complex dependency files.
- Smart Quick-Fixes: One-click remediation to upgrade vulnerable dependencies to safe versions.
- Multi-Ecosystem Support:
- Rust:
Cargo.toml,Cargo.lock - Python:
requirements.txt,Pipfile,pyproject.toml - Node.js:
package.json,package-lock.json,yarn.lock,pnpm-lock.yaml - Go:
go.mod,go.sum - Java:
pom.xml,build.gradle,build.gradle.kts - PHP:
composer.json,composer.lock - Ruby:
Gemfile,Gemfile.lock - .NET:
*.csproj,*.sln,packages.config
- Rust:
- Health Checks: Built-in commands to verify API connectivity and server status.
- Install the Extension: Search for "Vulnera" in the VS Code Marketplace.
- API Configuration: By default, the extension uses the public Vulnera API. For higher limits, add your API key in settings.
- Open a Manifest: Open any supported file (like
package.jsonorCargo.toml). Diagnostics will appear automatically in the "Problems" tab and inline in your editor.
Access these commands via the Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
Vulnera: Analyze Workspace Dependencies: Manually trigger a full scan of all supported files in your workspace.Vulnera: Check API Health: Verify the connection to the Vulnera backend.Vulnera: Update Language Server Binary: Ensure you are running the latest version of the analysis engine.
Customize the extension behavior in Settings -> Extensions -> Vulnera:
| Setting | Default | Description |
|---|---|---|
vulnera.apiBaseUrl |
https://api.vulnera.studio |
Base URL for the Vulnera API service. |
vulnera.apiKey |
"" |
Your Vulnera API key (increases rate limits). |
vulnera.analyzeOnOpen |
true |
Analyze files immediately upon opening. |
vulnera.analyzeOnSave |
false |
Trigger analysis when a file is saved. |
vulnera.severityMin |
High |
Minimum severity level to report (Low, Medium, High, Critical). |
vulnera.includeLockfiles |
true |
Whether to scan lockfiles during workspace analysis. |
vulnera.clientLogLevel |
info |
Logging verbosity for the extension output channel. |
Vulnera utilizes a hybrid analysis model:
- Local Parsing: Uses Tree-sitter to build an AST of your manifest files.
- Cloud Analysis: Metadata is sent to the Vulnera Orchestrator for cross-referencing against global vulnerability databases (CVEs, GHSA, etc.).
- Secure Sandbox: Analysis is performed in a Landlock/Seccomp isolated environment to ensure maximum privacy and security.
- VS Code:
v1.103.0or higher. - Node.js:
v18.0.0or higher (required for the Language Server).
This extension contributes the following settings:
vulnera.apiBaseUrl: Specifies the API endpoint.vulnera.apiKey: Authentication for the service.vulnera.severityMin: Filter out low-priority alerts.
- Analysis of extremely large monorepos may take several seconds on the first run while the cache is populated.
- Some proprietary package registries may require additional configuration if they are not reachable by the Vulnera backend.
We welcome contributions! Please see our Contributing Guide for more information.
Developed with ❤️ by the Vulnera Team.