feat(llm-security): add /security ide-scan — VS Code / JetBrains extension prescan (v6.3.0)

New standalone scanner (prefix IDE) discovers installed VS Code extensions across forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH) and runs 7 IDE-specific threat checks: blocklist match (CRITICAL), theme-with-code, sideload (unsigned .vsix), dangerous uninstall hook (HIGH), wildcard activation, extension-pack expansion, typosquat (MEDIUM). Per-extension reuse of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded concurrency. Offline-first; --online opt-in. JetBrains discovery stubbed for v1.1. 22 new tests (1296 total, was 1274). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 16:23:35 +02:00 · 2026-04-17 16:23:35 +02:00 · 6252e55700
commit 6252e55700
parent 7bcf5fae9d
33 changed files with 1849 additions and 20 deletions
--- a/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/extensions.json
+++ b/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/extensions.json
@ -0,0 +1,32 @@
+[
+  {
+    "identifier": { "id": "publisher.benign-ext" },
+    "version": "1.0.0",
+    "location": { "$mid": 1, "fsPath": "publisher.benign-ext-1.0.0", "path": "/publisher.benign-ext-1.0.0", "scheme": "file" },
+    "relativeLocation": "publisher.benign-ext-1.0.0",
+    "metadata": {
+      "installedTimestamp": 1700000000000,
+      "source": "gallery",
+      "id": "benign-ext",
+      "publisherId": "publisher",
+      "publisherDisplayName": "Publisher",
+      "isBuiltin": false,
+      "isApplicationScoped": false
+    }
+  },
+  {
+    "identifier": { "id": "theme.goodtheme" },
+    "version": "1.0.0",
+    "location": { "$mid": 1, "fsPath": "theme.goodtheme-1.0.0", "path": "/theme.goodtheme-1.0.0", "scheme": "file" },
+    "relativeLocation": "theme.goodtheme-1.0.0",
+    "metadata": {
+      "installedTimestamp": 1700000000000,
+      "source": "gallery",
+      "id": "goodtheme",
+      "publisherId": "theme",
+      "publisherDisplayName": "Theme",
+      "isBuiltin": false,
+      "isApplicationScoped": false
+    }
+  }
+]
--- a/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/publisher.benign-ext-1.0.0/extension.js
+++ b/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/publisher.benign-ext-1.0.0/extension.js
@ -0,0 +1,6 @@
+// benign-ext entry point
+function activate(context) {
+  console.log('benign-ext activated');
+}
+function deactivate() {}
+module.exports = { activate, deactivate };
--- a/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/publisher.benign-ext-1.0.0/package.json
+++ b/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/publisher.benign-ext-1.0.0/package.json
@ -0,0 +1,14 @@
+{
+  "publisher": "publisher",
+  "name": "benign-ext",
+  "version": "1.0.0",
+  "displayName": "Benign Extension",
+  "description": "A normal extension with no issues",
+  "engines": { "vscode": "^1.80.0" },
+  "main": "./extension.js",
+  "activationEvents": ["onCommand:benign.hello"],
+  "contributes": {
+    "commands": [{ "command": "benign.hello", "title": "Say Hello" }]
+  },
+  "categories": ["Other"]
+}
--- a/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/theme.goodtheme-1.0.0/package.json
+++ b/plugins/llm-security/tests/fixtures/ide-extensions/root-benign/theme.goodtheme-1.0.0/package.json
@ -0,0 +1,14 @@
+{
+  "publisher": "theme",
+  "name": "goodtheme",
+  "version": "1.0.0",
+  "displayName": "Good Theme",
+  "description": "A pure theme with no runtime code",
+  "engines": { "vscode": "^1.80.0" },
+  "categories": ["Themes"],
+  "contributes": {
+    "themes": [
+      { "label": "Good Dark", "uiTheme": "vs-dark", "path": "./themes/good-dark.json" }
+    ]
+  }
+}