About VSCan

A single VS Code extension can read your files, run shell commands, and reach the network. VSCan brings deep, automated security analysis to every extension, so you can see exactly what you're installing.

Our Mission

The marketplace makes it effortless to install extensions, but offers little visibility into what they actually do. Because extensions run with the same privileges as your editor, they are an attractive vector for malware, credential theft, and supply chain attacks.

VSCan exists to close that gap. We provide automated security transparency — combining static code analysis, publisher trust signals, and external threat intelligence into one clear report, so you can catch risks before they reach your machine.

security Why Analysis Matters

  • check_circle Detect malware and spyware early
  • check_circle Audit code for exploitable vulnerabilities
  • check_circle Surface excessive or risky permissions
  • check_circle Monitor publishers for supply chain risk

How VSCan Works

Paste an extension link or ID and VSCan handles the rest — from fetching the package to delivering a scored, human-readable report in a single pass.

1 download

Fetch & Unpack

We retrieve the published package straight from the marketplace and unpack its source, manifest, and dependencies for inspection.

2 biotech

Multi-Layer Scan

Code, metadata, and external intelligence engines run in parallel, flagging suspicious patterns, risky permissions, and known threats.

3 summarize

Score & Report

Findings are weighted into a clear risk score with detailed, categorized evidence you can drill into and act on.

Multi-Layered Protection

No single technique catches everything, so VSCan layers complementary engines that reinforce one another.

code

Deep Code Analysis

AST-level parsing detects command injection, unsafe eval usage, weak cryptography, and obfuscated payloads hidden in the source.

verified_user

Trust & Metadata

Vets publisher identity, install counts, and update patterns, then audits dependencies against GitHub Advisory and OpenSSF Scorecards.

hub

External Intelligence

Cross-references VirusTotal, secret-scanning for leaked credentials, and network profiling to catch threats seen elsewhere in the wild.

Safety & Transparency

We're upfront about what automated analysis can and can't do.

info Automation Has Limits

VSCan is primarily a static analysis tool. Runtime-only behavior, sophisticated obfuscation, and novel zero-day threats can occasionally evade detection.

psychology Scores Are a Starting Point

A risk score orients you quickly, but the detailed findings and requested permissions deserve a look before you trust an extension in critical environments.

Automated scanning is a powerful first line of defense — but for maximum security, pair it with manual review and publisher vetting before installing anything sensitive.

forum

Get in Touch

We read every message and typically reply within a couple of business days. Pick whatever fits — or just say hi.

support_agent

Support & Questions

Stuck on a scan or have a question about a result? We're happy to help.

lightbulb

Feature Requests

Have an idea that would make VSCan more useful? We'd love to hear it.

bug_report

Bugs & Security

Found a bug or a false positive? Report it and we'll dig in quickly.

email vscandevteam@gmail.com

Prefer copy-paste? Reach us anytime at the address above.