Skip to main content

ShieldX

An extension that audits your installed extensions for risk signals, known vulnerabilities, and workspace policy violations. Local scan, exportable reports, and team policy in one tree.

code --install-extension thk.shieldx
Get startedInstall command set for VS Code
Overview

What it is

An IDE extension that scans your installed extensions for risk signals, known vulnerabilities, and policy violations — locally.

What it ships

Activity-bar dashboard, scan engine, history, six export formats, and a workspace policy file.

How it scales

Analyzers run in a fixed pipeline with shared HTTP cache, cancellable progress, and persistent scan history.

Features

Risk-scored dashboard

Per-extension trust signals and risk factors, aggregated into Low / Moderate / High / Critical with a plain-language recommendation.

Scan engine

Package metadata, suspicious code patterns, dependency analysis, npm publisher reputation, and OSV vulnerability lookups.

Workspace policy

A .shieldx.json file with allowlist, blocklist, and maxRiskLevel. Violations surface on the dashboard.

Exports for humans and CI

Markdown, JSON, HTML, PDF, CSV, and SARIF. PDF gracefully falls back to HTML when no browser is detected.

Scan history & diffing

Every scan is stored. Each run is diffed against the previous one, so what changed is the first thing you see.

Cancellable, scriptable

Long network lookups can be cancelled. Commands integrate with palettes, keybinds, and tasks.

Start here

Read the introduction, then move into the reference.

The docs are organised to keep the path short: introduction, user guide, settings, scan engine, then specialised reference pages.