diff --git a/plugins/llm-security/commands/ide-scan.md b/plugins/llm-security/commands/ide-scan.md index fa2ff43..6187ddd 100644 --- a/plugins/llm-security/commands/ide-scan.md +++ b/plugins/llm-security/commands/ide-scan.md @@ -1,13 +1,16 @@ --- name: security:ide-scan -description: Scan installed VS Code / IntelliJ extensions for supply-chain risk, typosquats, obfuscation, and malicious patterns +description: Scan installed VS Code + JetBrains (IntelliJ IDEA, PyCharm, GoLand, WebStorm, Android Studio, …) extensions/plugins for supply-chain risk, typosquats, obfuscation, and malicious patterns. Accepts Marketplace / OpenVSX / direct VSIX URLs and JetBrains Marketplace URLs. allowed-tools: Read, Glob, Grep, Bash model: sonnet --- # /security ide-scan -Scan installed IDE extensions (VS Code + forks like Cursor/Windsurf/VSCodium/code-server; JetBrains is v1.1 stub). +Scan installed IDE extensions. Both families covered: + +- **VS Code + forks** — Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH. +- **JetBrains plugins** — discovery from installed plugin dirs, URL fetch from JetBrains Marketplace. IntelliJ IDEA, PyCharm, GoLand, WebStorm, RubyMine, PhpStorm, CLion, DataGrip, RustRover, Rider, Aqua, Writerside, Android Studio. Fleet and Toolbox are excluded (different plugin model). Runs the IDE scanner plus reused scanners (UNI, ENT, NET, TNT, MEM, SCR) per extension. Offline by default. @@ -26,7 +29,9 @@ Arguments (pass through as provided by the user): - `https://marketplace.visualstudio.com/items?itemName=.` → fetch from VS Code Marketplace - `https://open-vsx.org/extension//[/]` → fetch from OpenVSX - `https://example.com/path/foo.vsix` → direct VSIX download (HTTPS only) - - GitHub repo URLs are NOT supported in v6.4.0 (would require build step) + - `https://plugins.jetbrains.com/plugin/7973-intellivue` → JetBrains Marketplace (numericId resolved to xmlId via metadata, then downloaded) + - `https://plugins.jetbrains.com/plugin/download?pluginId=com.example.plugin[&version=1.2.3]` → direct JetBrains plugin download + - GitHub repo URLs are NOT supported (would require build step) - `--vscode-only` / `--intellij-only` — restrict discovery - `--include-builtin` — include Microsoft builtin extensions (default: excluded) - `--online` — enable Marketplace/OSV.dev lookups (opt-in; default: fully offline) @@ -97,5 +102,5 @@ If the user has many sideloaded (`source=vsix`) extensions: suggest re-installin ## Notes - First run with no `--online` is fully offline. -- JetBrains discovery is deferred to v1.1 (see `knowledge/ide-extension-threat-patterns.md`). - Pass a single extracted extension directory to scan just one extension. +- JetBrains plugins are additionally checked for `Premain-Class` javaagents, `application-components` lifecycle hooks, native binaries (`.so`/`.dylib`/`.dll`/`.jnilib`), long `` chains, typosquats vs top JetBrains plugins, and shaded-jar advisories (see `knowledge/ide-extension-threat-patterns.md`).