ShieldX
An extension that audits your installed extensions for risk signals, known vulnerabilities, and workspace policy violations. Local scan, exportable reports, and team policy in one tree.
What it is
An IDE extension that scans your installed extensions for risk signals, known vulnerabilities, and policy violations — locally.
What it ships
Activity-bar dashboard, scan engine, history, six export formats, and a workspace policy file.
How it scales
Analyzers run in a fixed pipeline with shared HTTP cache, cancellable progress, and persistent scan history.
Risk-scored dashboard
Per-extension trust signals and risk factors, aggregated into Low / Moderate / High / Critical with a plain-language recommendation.
Scan engine
Package metadata, suspicious code patterns, dependency analysis, npm publisher reputation, and OSV vulnerability lookups.
Workspace policy
A .shieldx.json file with allowlist, blocklist, and maxRiskLevel. Violations surface on the dashboard.
Exports for humans and CI
Markdown, JSON, HTML, PDF, CSV, and SARIF. PDF gracefully falls back to HTML when no browser is detected.
Scan history & diffing
Every scan is stored. Each run is diffed against the previous one, so what changed is the first thing you see.
Cancellable, scriptable
Long network lookups can be cancelled. Commands integrate with palettes, keybinds, and tasks.
Read the introduction, then move into the reference.
The docs are organised to keep the path short: introduction, user guide, settings, scan engine, then specialised reference pages.
