Mondoo Security for VS Code

The Mondoo Security extension covers three sides of your security work in VS Code:

• Secure the software you build. xgrep, Mondoo's software development security scanner, finds vulnerabilities and leaked secrets in your code as you type and lets you fix or dismiss each finding in one click — so issues are gone before they ever reach code review. See Code security.
• Secure the infrastructure you run. cnspec, Mondoo's infrastructure security scanner, checks systems, cloud accounts, containers, and Kubernetes clusters against security policies — so misconfigurations surface before attackers find them. The extension is also the workbench for developing those policies. See Infrastructure security.
• Know what's inside. Generate a bill of materials — your source-code dependencies, the packages on a running asset, or your AI models. You choose what to inventory; the extension picks the right scanner. See Bill of materials.

Requirements

• Visual Studio Code 1.101 or later
• cnspec for infrastructure scanning (the extension detects it and guides you through installation if it is missing)
• The xgrep code scanner installs automatically — no setup needed

The extension only runs in trusted workspaces because it executes the cnspec and xgrep binaries against workspace files.

Pages

• Getting started — install the extension, see your first code findings, and run your first infrastructure check
• Code security — find, fix, and dismiss security issues in your code as you develop
• Infrastructure security — check systems and cloud accounts against policies, and develop policies with full IDE support
• Bill of materials — inventory source-code dependencies, asset packages, and AI models in standard formats
• Settings reference — every extension setting with its default and scope

Getting help

• Documentation: docs.mondoo.com
• Issues: GitHub Issues
• Community: Mondoo Community