User guide
This page walks through ShieldX end-to-end: opening the dashboard, running a scan, reading results, and responding to warnings.
Opening the dashboard
ShieldX registers an icon in the activity bar. Click it to reveal the ShieldX view container, which hosts a single webview-backed dashboard.
You can also run ShieldX: Open dashboard from the command palette.
Running your first scan
- Open the dashboard.
- Click Scan now in the header, or run ShieldX: Scan installed extensions from the command palette.
- A progress notification appears. Long scans can be cancelled from the notification itself or from the dashboard Cancel button.
The scan covers every extension the editor reports as installed, including built-ins (built-ins are scored conservatively and rarely surface as risky).
Summary cards
Once the scan completes the dashboard shows four risk-level cards:
- Low — nothing actionable, kept for visibility
- Moderate — at least one notable signal, review when convenient
- High — multiple notable signals or a known vulnerability
- Critical — strong combined signals; review before continuing to use
The counts are clickable and filter the extension list below.
Reading an extension entry
Each extension row shows the publisher, version, risk score, and risk level. Expanding a row reveals:
- Trust signals — install count, publisher age, repo presence, signed releases
- Risk factors — suspicious code patterns, missing repo, network access in known sensitive APIs, vulnerable dependencies
- Recommendation — short text generated from the strongest signals
A trust signal does not cancel a risk factor. They are reported independently so you can judge them.
History
The History tab lists every previous scan with timestamp, total extensions, and a delta vs. the prior scan. Open an entry to see the full extension list captured at that moment, including a search/filter box for large workspaces.
Two cleanup commands are available:
- Clear a single history entry from its detail view
- Clear all history from the History tab header
History is stored in extension global state. It does not sync between machines unless Settings Sync is enabled for extension state.
The number of retained entries is controlled by shieldx.maxHistoryItems. When the limit is reached, the oldest history entry is dropped on the next completed scan.
Cancelling a scan
Long network lookups (OSV, npm publisher checks) can be cancelled at any time. Either:
- Click Cancel on the progress notification
- Click Cancel in the dashboard header while scan is running
Cancellation is cooperative. In-flight HTTP requests are aborted; partial results are discarded.
Warnings for new extensions
When you install a new extension or update an existing one, ShieldX queues a focused scan of the changed extension on the next activation. The result is surfaced as a notification rather than as a forced dashboard reveal.
Sensitive workspace notice
If the scan flags risky extensions and the workspace contains files that look like secrets (.env, private keys, cloud credential files), ShieldX shows a one-time warning encouraging you to review before continuing. The check is heuristic and intentionally conservative.