Deep Dive Extension Security

VSCan performs a comprehensive automated security assessment of VS Code extensions. We dissect packages, analyze code with advanced techniques, and scrutinize metadata to reveal potential risks before you install.

Our goal: Empower users with clear insights into extension safety.

Multi-Layered Analysis Checks

VSCan integrates multiple checks for robust analysis:

• Metadata & Publisher Vetting: Verifies publisher identity, checks update frequency, permissions, and activation events.
• Dependency Vulnerability Scan: Audits dependencies against known vulnerability databases (e.g., GitHub Advisory DB).
• OSSF Scorecard Analysis: Evaluates repository security health based on OSSF Scorecard checks.
• VirusTotal Integration: Checks the extension package against dozens of AV engines and blocklists.
• Advanced Static Code Analysis (AST): Parses code to find risks like:
  • Injection vulnerabilities (Command, HTML)
  • Unsafe code execution (`eval`, `child_process`)
  • Insecure webview configurations (CSP, nodeIntegration)
  • Risky filesystem access (especially near sensitive paths)
  • Weak cryptography usage
• High-Precision Secret Scanning: Detects hardcoded API keys, private keys, credentials (GitGuardian-style).
• Network Endpoint Profiling: Identifies hardcoded URLs/IPs and checks public endpoints against VirusTotal.
• Obfuscation Detection: Recognizes common techniques used to hide malicious code.
• [Experimental] LLM-Powered Assessment: Uses Large Language Models for secondary evaluation of complex code patterns.

Understanding the Results

The overall score provides a quick overview, but examine the detailed findings from each module to understand specific concerns. Automated analysis isn't perfect.

Disclaimer

VSCan is an informational tool, not a guarantee of safety. Automated scanners have limitations (false positives/negatives). Always exercise caution, review permissions, check publisher reputation, and inspect code if possible. Use VSCan as one part of your evaluation.