Our Mission
VSCan provides automated security transparency for the VS Code ecosystem. Extensions run with high privileges, making them potential vectors for malware, data theft, and supply chain attacks. We help you identify these risks before they enter your environment.
Why Analysis Matters
- • Detect malware and spyware early
- • Audit code for vulnerabilities
- • Identify excessive permissions
- • Monitor for supply chain risks
Multi-Layered Protection
Deep Code Analysis
Advanced AST parsing detects command injection, unsafe `eval` usage, and weak cryptography.
Trust & Metadata
Vets publisher identity and update patterns. Audits dependencies via GitHub Advisory & Scorecards.
External Intelligence
Integrates VirusTotal, GitGuardian-style secret detection, and network profiling.
Safety & Transparency
Automation Limits: VSCan is a static analysis tool. Runtime behavior, sophisticated obfuscation, and zero-day threats may occasionally evade detection.
Expert Interpretation: Scores are a starting point. Always review detailed findings and permissions before trusting an extension in critical environments.
Automated scanning is a powerful first line of defense, but should be combined with manual review and publisher vetting for maximum security.