Skip to main content

User guide

This page walks through ShieldX end-to-end: opening the dashboard, running a scan, reading results, and responding to warnings.

Opening the dashboard

ShieldX registers an icon in the activity bar. Click it to reveal the ShieldX view container, which hosts a single webview-backed dashboard.

You can also run ShieldX: Open dashboard from the command palette.

Running your first scan

  1. Open the dashboard.
  2. Click Scan now in the header, or run ShieldX: Scan installed extensions from the command palette.
  3. A progress notification appears. Long scans can be cancelled from the notification itself or from the dashboard Cancel button.

The scan covers every extension the editor reports as installed, including built-ins (built-ins are scored conservatively and rarely surface as risky).

Summary cards

Once the scan completes the dashboard shows four risk-level cards:

  • Low — nothing actionable, kept for visibility
  • Moderate — at least one notable signal, review when convenient
  • High — multiple notable signals or a known vulnerability
  • Critical — strong combined signals; review before continuing to use

The counts are clickable and filter the extension list below.

Reading an extension entry

Each extension row shows the publisher, version, risk score, and risk level. Expanding a row reveals:

  • Trust signals — install count, publisher age, repo presence, signed releases
  • Risk factors — suspicious code patterns, missing repo, network access in known sensitive APIs, vulnerable dependencies
  • Recommendation — short text generated from the strongest signals

A trust signal does not cancel a risk factor. They are reported independently so you can judge them.

History

The History tab lists every previous scan with timestamp, total extensions, and a delta vs. the prior scan. Open an entry to see the full extension list captured at that moment, including a search/filter box for large workspaces.

Two cleanup commands are available:

  • Clear a single history entry from its detail view
  • Clear all history from the History tab header

History is stored in extension global state. It does not sync between machines unless Settings Sync is enabled for extension state.

The number of retained entries is controlled by shieldx.maxHistoryItems. When the limit is reached, the oldest history entry is dropped on the next completed scan.

Cancelling a scan

Long network lookups (OSV, npm publisher checks) can be cancelled at any time. Either:

  • Click Cancel on the progress notification
  • Click Cancel in the dashboard header while scan is running

Cancellation is cooperative. In-flight HTTP requests are aborted; partial results are discarded.

Warnings for new extensions

When you install a new extension or update an existing one, ShieldX queues a focused scan of the changed extension on the next activation. The result is surfaced as a notification rather than as a forced dashboard reveal.

Sensitive workspace notice

If the scan flags risky extensions and the workspace contains files that look like secrets (.env, private keys, cloud credential files), ShieldX shows a one-time warning encouraging you to review before continuing. The check is heuristic and intentionally conservative.