6252e55700
New standalone scanner (prefix IDE) discovers installed VS Code extensions across forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH) and runs 7 IDE-specific threat checks: blocklist match (CRITICAL), theme-with-code, sideload (unsigned .vsix), dangerous uninstall hook (HIGH), wildcard activation, extension-pack expansion, typosquat (MEDIUM). Per-extension reuse of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded concurrency. Offline-first; --online opt-in. JetBrains discovery stubbed for v1.1. 22 new tests (1296 total, was 1274). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3.5 KiB
3.5 KiB
| name | description | allowed-tools | model |
|---|---|---|---|
| security:ide-scan | Scan installed VS Code / IntelliJ extensions for supply-chain risk, typosquats, obfuscation, and malicious patterns | Read, Glob, Grep, Bash | sonnet |
/security ide-scan
Scan installed IDE extensions (VS Code + forks like Cursor/Windsurf/VSCodium/code-server; JetBrains is v1.1 stub).
Runs the IDE scanner plus reused scanners (UNI, ENT, NET, TNT, MEM, SCR) per extension. Offline by default.
Step 1: Run Scanner
Run the IDE extension scanner:
node <this plugin's scanners/ide-extension-scanner.mjs> [target]
Arguments (pass through as provided by the user):
[target]— omit,., orallto discover all installed extensions. Absolute path to an extracted extension directory for single-scan mode.--vscode-only/--intellij-only— restrict discovery--include-builtin— include Microsoft builtin extensions (default: excluded)--online— enable Marketplace/OSV.dev lookups (opt-in; default: fully offline)--format compact|json— output format--fail-on <severity>— exit 1 if findings at/above severity
Parse the JSON output. The result contains:
meta.scanner,meta.version,meta.target,meta.extensions_discovered(per type),meta.roots_scanned,meta.warningsextensions[]— per-extension results withid,version,type,publisher,source,is_builtin,signed,scanner_results(IDE/UNI/ENT/NET/TNT/MEM/SCR),aggregate(counts, risk_score, risk_band, verdict),warningsaggregate— top-level counts, risk_score, risk_band, verdict, extensions_total, extensions_blocked, extensions_warning
Step 2: Format Report
Present the results:
# IDE Extension Scan
| Field | Value |
|-------|-------|
| **Scanner** | ide-extension-scanner v[version] |
| **Target** | [target] |
| **Roots** | [comma-separated roots_scanned] |
| **Extensions** | [vscode] VS Code, [jetbrains] JetBrains |
| **Top Verdict** | [ALLOW/WARNING/BLOCK] |
| **Risk** | [risk_score]/100 ([risk_band]) |
| **Duration** | [duration_ms]ms |
## Counts
crit=[N] high=[N] medium=[N] low=[N] info=[N]
## Per-Extension Results
[One row per extension, sorted: BLOCK first, then WARNING, then ALLOW with findings]
| Extension | Version | Source | Verdict | Risk | Top Issue |
|-----------|---------|--------|---------|------|-----------|
Omit ALLOW rows with zero findings unless the user passed `--verbose`.
## Top Findings
[For each extension with verdict != ALLOW, list up to 3 findings as:
- [SEV] [SCANNER]: title — file:line — recommendation]
## Warnings
[Any top-level or per-extension `warnings` entries, if present]
Step 3: Recommendations
aggregate.verdict === 'BLOCK': "One or more extensions are block-listed. Uninstall immediately —code --uninstall-extension <id>."aggregate.verdict === 'WARNING': "High/medium findings detected. Review the Top Findings list. Audit suspicious extensions before continuing."aggregate.verdict === 'ALLOW'and counts.info > 0: "Extensions look clean. Info-level findings are observational only."aggregate.extensions_total === 0: "No extensions discovered. Runcode --list-extensionsto confirm, or pass a specific path."
If the user has many sideloaded (source=vsix) extensions: suggest re-installing from Marketplace where possible.
Notes
- First run with no
--onlineis fully offline. - JetBrains discovery is deferred to v1.1 (see
knowledge/ide-extension-threat-patterns.md). - Pass a single extracted extension directory to scan just one extension.