Skip to content

CodeforGood1/contractguard

BranchesTags

Repository files navigation

contract-guard

contract-guard helps you find security and reliability issues in code, configs, queries, Dockerfiles, and dependency files without leaving VS Code.

Features

  • Scan the current file
  • Scan the full workspace
  • Show findings in a dedicated explorer view
  • Publish inline diagnostics in the editor
  • Export SARIF for external security workflows
  • Export findings as JSON
  • Disable noisy rules from diagnostics or the findings view
  • Preserve workspace findings while rescanning saved files incrementally
  • Show scan/runtime details in the ContractGuard output channel
  • Show an overall security score in the status bar
  • Filter low-confidence fixture/doc/test findings by default
  • Continue scans when one analyzer has a runtime problem

What it checks

  • JSON schema drift, including type mismatches, optional fields, and nullable values across samples.
  • SQL query risks (for example: SELECT *, missing WHERE in DELETE, unsafe patterns).
  • Regex complexity and ReDoS risks, including nested quantifiers and deep backtracking.
  • Hardcoded secrets like API keys, tokens, private keys, DB URLs, and JWTs.
  • PII exposure such as SSNs, credit cards, emails, phones, and DOBs.
  • Insecure configuration (debug enabled, weak defaults, open CORS, TLS disabled).
  • Dockerfile issues like root user, latest tags, hardcoded secrets, and SSH exposure.
  • Dependency vulnerabilities in Python requirements.txt/pyproject.toml and npm lockfiles.

Commands

  • ContractGuard: Scan Workspace
  • ContractGuard: Scan Current File
  • ContractGuard: Export SARIF
  • ContractGuard: Export Findings JSON
  • ContractGuard: Clear Findings
  • ContractGuard: Install Python Runtime Dependencies
  • ContractGuard: Show Output

Requirements

  • Python 3.11 or newer

If the Python runtime dependencies are missing, run:

  • ContractGuard: Install Python Runtime Dependencies

Extension Settings

  • contractguard.pythonPath
  • contractguard.scanOnSave
  • contractguard.scanDebounceMs
  • contractguard.scanOnSaveScope
  • contractguard.scanTimeoutMs
  • contractguard.enabledAnalyzers
  • contractguard.disabledRules
  • contractguard.minimumSeverity
  • contractguard.minimumConfidence
  • contractguard.includeFixtures
  • contractguard.rulesDirectory
  • contractguard.sqlExplainDatabase

Notes

  • The extension runs analysis locally.
  • The default minimum confidence is medium; use low for audit mode when you want sample/test fixtures included.
  • Set contractguard.includeFixtures to include findings from docs/tests/samples.
  • SARIF export is available for CI and external security tooling.

About

ContractGuard is a local-first VS Code extension that scans code, configs, schemas, SQL, Dockerfiles, and dependencies for security and reliability issues. Detect secrets, risky queries, schema drift, insecure configs, and vulnerabilities directly inside your editor.

Topics

security static-analysis dependency-analysis code-analysis vscode-extension pii-detection secrets-scanning

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages