IDE Integration
Run xgrep inside your editor for real-time security diagnostics, quickfixes, and workspace scans — zero-config in VS Code, and over LSP everywhere else.
IDE Integration
xgrep runs inside your editor, surfacing the same findings as xgrep scan as you
type — with quickfixes and project-wide scans. There are two ways to set it up:
- VS Code — install the Mondoo extension and you're done. It starts and manages xgrep for you, with no Language Server to configure. This is the recommended path for VS Code users.
- Other editors — Neovim, Vim, Helix, Emacs, Sublime Text, JetBrains,
and any other LSP-capable editor connect to xgrep's built-in Language Server
(
xgrep lsp).
Both paths run the same server under the hood, so the capabilities below apply everywhere.
What you get
- Diagnostics on file open and save, and while typing (a full re-scan of the
buffer, debounced at 400 ms and asynchronous — the editor never blocks on a scan).
Severity maps
CRITICAL/ERROR→ Error,WARNING→ Warning,INFO→ Information; the diagnostic code is the rule ID. - Quickfix code actions. Findings from rules with
fix:/fix-regex:offer an "Apply xgrep fix" action that performs the same replacement asxgrep fix apply. - Workspace scan. The
xgrep.scanWorkspacecommand scans the whole project in the background and publishes diagnostics for every file with findings — results stream into the problems panel per file as each one finishes, with progress reported over$/progressand a completion notification at the end. - Fast scan (changed files only). The
xgrep.scanChangedcommand scans only files changed in the git working tree (vs HEAD, plus untracked files) — seconds instead of minutes on large repos. Runxgrep.scanWorkspaceonce, thenxgrep.scanChangedas you work; unchanged files keep their diagnostics. - CLI parity. The server hides inline-suppressed findings (
# nosemgrep), collapses same-rule overlapping matches, and — when running the built-in rules — applies the same production scope asxgrep scan(security findings in test/fixture/example paths are dropped). What you see in the editor is what CI will report.
Limitations
Editor scans are per-file, so cross-file taint findings (which need the interfile pass
of a full xgrep scan) do not appear in the editor, and cross-rule duplicate collapsing
is CLI-only. Command scans skip files larger than 10 MB.
Coding agents
For AI coding agents, prefer the MCP server
(xgrep mcp): it exposes scanning plus the code-graph and inspection tools as
agent-callable tools, which is far richer than passive diagnostics. The Language Server
is the right fit for agents that read editor diagnostics from a session that already
aggregates LSP results.