Code security

The most expensive security issue is the one found in production; the cheapest is the one fixed before it was ever committed. xgrep, Mondoo's software development security scanner, moves that work to where you already are: it analyzes your code for vulnerabilities and leaked secrets while you type (static analysis of your source — what security teams often call SAST) and reports findings as standard VS Code diagnostics in the Problems panel (Ctrl+Shift+M / Cmd+Shift+M) and as squiggles in the editor.

There is no account, login, or configuration required, and your code never leaves your machine.

See issues while you write

Open or save a file in a supported language and it is analyzed immediately; findings update as you type. The shield item in the status bar tells you at a glance whether the scanner is running and how many findings exist across your workspace — click it for a menu of all scanner commands and settings.

Out of the box the scanner applies Mondoo's built-in security and secrets rules. If your team maintains its own rules, point mondoo.xgrepRulesPath at a rule file or directory (Semgrep-compatible YAML rules are supported) to make the editor enforce the same standards as your pipeline.

Check the whole project before you commit

Three commands cover code you don't have open:

• Mondoo: xgrep — Scan Workspace checks every file in the workspace — useful for a first assessment of a codebase.
• Mondoo: xgrep — Scan Changed Files (fast) checks only files that are new or modified according to git — the quick pre-commit confidence check.
• Mondoo: xgrep — Scan Changes Since… checks only what changed since a git ref you pick (a branch, tag, or commit) — for reviewing a feature branch against main without scanning the whole tree.

When a scan finishes, a notification summarizes how many findings turned up in how many files, with a button that takes you straight to the Problems panel.

Understand a finding

When the rule message isn't enough, open Code Actions (Ctrl+. / Cmd+.) on the finding and choose Explain xgrep finding <rule> (AI). The answer streams into the Chat view from the @mondoo participant — a plain-language review of the three questions that matter: what the risk is, whether it's actually exploitable in this code or a likely false positive, and how to fix it. You can keep the conversation going with follow-ups like "how is it exploited?" or ask @mondoo directly about the finding under your cursor.

The explanation uses the language model you already have in VS Code (GitHub Copilot or another provider) — there's no Mondoo account and your code goes only to the model you've chosen.

To judge whether a finding is really exploitable, the explanation includes the call neighborhood around it from the xgrep code graph — who calls the flagged function and what it calls — so the model can trace whether attacker-controllable input can actually reach it. Turn this off with mondoo.xgrepExplainUseGraph if building the graph is slow on a large repository.

Bring xgrep to your AI agent

Beyond explanations, xgrep's deeper analysis is available to AI coding agents:

• Copilot agent mode (and other MCP clients) automatically discover an xgrep tool server the extension registers, giving the agent xgrep's code graph, symbol inspection, and scanning on demand — no setup.
• Claude Code users can run Mondoo: xgrep — Install AI Skills (from the Command Palette or the xgrep status-bar menu) to install xgrep's bundled skills (finding triage, code inspection, rule authoring, secure coding) into ~/.claude/plugins or the current workspace.

Fix a finding in one click

When a rule ships an automatic fix, the editor offers a Code Action (the light bulb, Ctrl+. / Cmd+.) titled Apply xgrep fix that rewrites the flagged code in place — review the change, save, done.

Fix a finding with AI

Most security findings have no single mechanical fix — the right change depends on the surrounding code. For those, the light bulb offers Fix xgrep finding <rule> with AI. Your own language model (the one already in VS Code — no Mondoo account) authors the fix from xgrep's machine-readable fix contract, and xgrep then verifies the candidate through its own parse-and-rescan checks before you see it: the fix must parse, clear the finding, and not introduce a new one. You review the change in a diff preview and apply it like any refactor (with undo). If the first attempt doesn't pass, xgrep's rejection reason is fed back and the model tries again. Nothing is written to disk until you approve.

This needs a recent xgrep; on older versions the action simply doesn't appear.

Dismiss a finding that doesn't apply

False positives erode trust in every other finding, so dismissing one takes two clicks and leaves an audit trail. Place the cursor on the finding and open Code Actions (Ctrl+. / Cmd+.):

• Suppress xgrep finding <rule> (nogrep) inserts a suppression comment on the line above the finding:

  # nogrep: python-os-system
  os.system(cmd)

• Suppress xgrep finding <rule> with reason… asks for a short justification and records it in the same comment — so reviewers and future maintainers see why the finding was dismissed, not just that it was:

  # input is validated upstream nogrep: python-os-system
  os.system(cmd)

A dismissal made in the editor holds everywhere: the same comments are understood by the xgrep command line and CI scans, so a finding you suppress here stays suppressed in your pipeline. Suppressing several rules on one line extends the same comment (nogrep: rule-one, rule-two). In HTML the comment suppresses all rules on that line; JSON has no comments, so findings there cannot be suppressed inline.

Keep noise out of your results

Generated code, vendored dependencies, and test fixtures produce findings nobody intends to fix — and they bury the ones that matter. Exclude them with the mondoo.xgrepExcludePatterns setting:

"mondoo.xgrepExcludePatterns": [
  "src/generated/**",
  "vendor",
  "*.min.js"
]

Pattern rules:

• * matches within one path segment, ** spans segments, ? matches a single character.
• A pattern containing / matches against the workspace-relative path (src/generated/**).
• A pattern without / matches any single path segment anywhere (vendor excludes every vendor directory; *.min.js excludes minified files at any depth).

Newly excluded files disappear from the Problems panel immediately. After removing a pattern, accept the prompt to restart the scanner so the previously excluded files are checked again. Files ignored by .gitignore are never scanned.

To do the opposite — scan only part of the tree — set mondoo.xgrepIncludePatterns (same glob syntax). When it is non-empty only matching files are scanned (src/** to focus on your own source, say); an exclude pattern still wins over an include.

On large repositories, mondoo.xgrepScanJobs controls how many files the on-demand scans process in parallel — 0 lets the scanner size itself to your CPU; raise it to go faster or lower it to stay quiet on a shared machine.

Search your code by structure

Text search can't tell eval(userInput) from the word "eval" in a comment. The Code Search view (in the Mondoo activity-bar container) searches by structure instead. Run Mondoo: xgrep — Search Code… and enter a pattern where $X is a placeholder that binds to any expression and ... matches anything:

eval($X)

matches every call to eval, whatever the argument, across the supported languages — and ignores the literal text. Two actions turn a search into a fix or a reusable check:

• Replace in Search… rewrites every match structurally, reusing the bound placeholders — e.g. replace eval($X) with safeEval($X) everywhere at once, then review the edits.
• Export Search as Rule turns the current pattern into a Semgrep-compatible xgrep rule file, so a pattern you found useful becomes a finding the scanner flags from then on (point mondoo.xgrepRulesPath at it to enforce it).

Supported languages

Python, Go, Java, JavaScript, TypeScript (including React), Ruby, Rust, C, C++, C#, Kotlin, Scala, PHP, Lua, shell scripts, HTML, JSON, and YAML.

Commands

Installation details and troubleshooting

The extension finds the scanner in this order: the mondoo.xgrepPath setting, xgrep on your PATH, common install locations (including Go's ~/go/bin for developers who build it themselves), and finally its own automatic installation of the @mondoohq/xgrep npm package into extension storage. Automatic installation requires npm and can be disabled with mondoo.xgrepAutoInstall. Uninstalling the extension removes the auto-installed scanner.

If the status bar shows the ⚠ xgrep: set up warning, the scanner could not be located:

1. Click it (or run Mondoo: xgrep — Set Up Scanner) to find or install the binary in one step.
2. If you have xgrep in a custom location, set mondoo.xgrepPath to it and run Mondoo: Restart xgrep Language Server.
3. Check the xgrep Security Scanner output channel (View → Output) for errors.

To turn the scanner off entirely, set mondoo.xgrepEnabled to false.

Scope and limitations

Editor scanning analyzes one file at a time, which keeps it fast enough to run on every keystroke. Findings that require following data across files (cross-file taint analysis) are the job of xgrep ci in your CI pipeline — the editor and CI share the same rules and the same suppression comments, so what you dismiss or fix here carries over.