Secure Review

Secure Review is a VS Code extension and local CLI for static secure code review, dependency review, and Docker-based dynamic web security testing.

It is designed to help developers and security teams scan local repositories or Bitbucket-hosted repositories without needing to manually stitch together multiple tools.

What You Can Do With It

• Run static workspace scans inside VS Code
• Scan the currently open file
• Review findings in a dedicated activity bar view
• See inline diagnostics in the editor
• Open a report webview with summaries, evidence, and remediation guidance
• Export findings as DOCX from the extension
• Run the same engine from the terminal with the secure-review CLI
• Scan Bitbucket repositories directly by URL
• Enrich results with local tools such as semgrep, eslint, bandit, pip-audit, gosec, cppcheck, and others when available
• Run OWASP ZAP dynamic scans against developer-controlled local or test web applications

Key Capabilities

Static review

Secure Review combines built-in rule packs, repository heuristics, optional external tools, and stack-aware checks.

It covers areas such as:

• hard-coded secrets and credentials
• weak cryptography usage
• command execution risks
• injection-style patterns
• auth and authorization issues
• dependency and supply-chain risks
• configuration and infrastructure risks
• testing gaps
• reliability, maintainability, and performance smells

Dynamic review

Secure Review can launch OWASP ZAP through Docker and run:

• baseline scans for passive checks
• full scans for active testing
• API-focused scans using an API definition URL when available

Dynamic findings are grouped and normalized into the same reporting model used by static scans.

CLI agent

The secure-review CLI supports:

• local repository inspection
• bootstrap planning for scanner tools
• local path scans
• Bitbucket repository scans by HTTPS or SSH URL
• optional report export
• optional dynamic scan integration

Installation

Option 1: Install From Visual Studio Marketplace

1. Open VS Code.
2. Open the Extensions view.
3. Search for Secure Review.
4. Click Install.

Option 2: Install From VSIX

If you have a packaged .vsix file:

1. Open VS Code.
2. Open the Extensions view.
3. Choose Extensions: Install from VSIX...
4. Select the .vsix file.

If you are packaging the extension from source:

npm install
npm run verify
npm run package

This creates a .vsix package in the repository root.

Option 3: Install The CLI

From npm:

npm install -g secure-review-extension

Then run:

secure-review help

If you are using the source repository locally:

npm install
npm link
secure-review help

Quick Start In VS Code

1. Open a project folder in VS Code.
2. Open the Command Palette.
3. Run Secure Review: Scan Workspace.
4. Open the Secure Review activity bar view to inspect findings.
5. Run Secure Review: Open Review Report to see the in-editor report.
6. Run Secure Review: Export Findings Report to create a DOCX report.

Available extension commands:

• Secure Review: Check Workspace Requirements
• Secure Review: Scan Workspace
• Secure Review: Scan Current File
• Secure Review: Dynamic Scan Local App
• Secure Review: Open Review Report
• Secure Review: Export Findings Report
• Secure Review: Clear Findings
• Secure Review: Ignore Finding

Quick Start In The CLI

Inspect a local repository:

secure-review inspect /path/to/repo

Inspect a Bitbucket repository:

secure-review inspect https://bitbucket.org/workspace/repository

See which optional scanner tools are recommended:

secure-review bootstrap /path/to/repo

Run a scan:

secure-review scan /path/to/repo --severity medium

Export HTML output:

secure-review scan /path/to/repo --format html --out review.html

Export DOCX output:

secure-review scan /path/to/repo --format docx --out review.docx

Run a scan against a Bitbucket repository without cloning it manually:

secure-review scan [email protected]:workspace/repository.git --severity medium

CLI Commands

inspect

Displays detected languages, frameworks, and recommended scanner tools for:

• a local workspace path
• a Bitbucket repository URL
• a Bitbucket browser URL with /src/<branch>/
• a Bitbucket SSH clone URL

Examples:

secure-review inspect /path/to/repo
secure-review inspect https://bitbucket.org/acme/payments-service
secure-review inspect https://bitbucket.org/acme/payments-service/src/main/
secure-review inspect [email protected]:acme/payments-service.git

bootstrap

Prints the install plan for matching scanner tools. With --run, Secure Review executes the supported install commands when possible.

Examples:

secure-review bootstrap /path/to/repo
secure-review bootstrap /path/to/repo --run
secure-review bootstrap [email protected]:acme/payments-service.git

scan

Runs static review, optional dynamic review, and optional report export.

Examples:

secure-review scan /path/to/repo --severity low
secure-review scan /path/to/repo --severity high --format json --out findings.json
secure-review scan /path/to/repo --format html --out review.html
secure-review scan /path/to/repo --format docx --out review.docx
secure-review scan https://bitbucket.org/acme/payments-service/src/release-1.2/ --severity medium
secure-review scan [email protected]:acme/payments-service.git --branch main --severity medium

Bitbucket Repository Support

Secure Review can scan repositories that are not already present on the local machine.

Supported inputs:

• https://bitbucket.org/workspace/repo
• https://bitbucket.org/workspace/repo/src/main/
• [email protected]:workspace/repo.git

Behavior:

• the repository is cloned to a temporary directory
• the requested branch is resolved automatically when possible
• the scan runs against that temporary workspace
• the temporary clone is cleaned up after the scan

Tips:

• use SSH URLs for private repositories if SSH access is already configured
• use --branch <name> to override the branch when the URL does not specify one

Dynamic Scan Usage

Dynamic scanning is intended only for applications and endpoints you control.

Requirements:

• Docker installed and running
• a reachable local or test web application
• a configured target URL

Example local app:

PORT=3001 node sample-workspace/dev-server.js

CLI example:

secure-review scan /path/to/repo \
  --dynamic-url http://127.0.0.1:3001 \
  --dynamic-mode baseline

API scan mode example:

secure-review scan /path/to/repo \
  --dynamic-url http://127.0.0.1:3001 \
  --dynamic-mode api \
  --dynamic-api-url http://127.0.0.1:3001/openapi.json

Dynamic scan modes:

• baseline: passive checks and safer first pass
• full: active testing for controlled targets only
• api: API-oriented scan using a provided definition URL

Typical dynamic findings include:

• missing security headers
• cookie security issues
• information disclosure
• reflected or stored attack candidates surfaced by ZAP
• transport and response hardening issues

What Secure Review Checks

Secure Review blends several scan styles into one findings model.

Built-in static rules

• secrets and credentials
• dangerous sinks such as shell execution, HTML injection, and weak crypto
• auth and authorization patterns
• framework-aware checks
• code quality and maintainability warnings

Repository heuristics

• dependency hygiene and supply-chain risks
• runtime and environment configuration concerns
• Docker, Kubernetes, Terraform, and compose issues
• package-manager and deployment misconfiguration

External tool integrations

When the relevant tools are installed locally, Secure Review can enrich results using:

• semgrep
• eslint
• npm audit
• bandit
• pip-audit
• spotbugs
• gosec
• govulncheck
• cargo-audit
• clippy
• cppcheck
• brakeman
• phpstan
• .NET package vulnerability checks

Finding quality metadata

Findings include richer classification so the output is more honest and easier to review manually. Depending on the engine and evidence, findings may be classified as:

• likely vulnerabilities
• runtime vulnerabilities
• dependency risks
• contextual warnings
• recommendations

They may also include evidence strength, origin, and a manual-review recommendation flag.

Default Scan Exclusions

To reduce noise and improve performance, Secure Review skips common dependency and build folders by default, including:

• .git
• node_modules
• .venv
• venv
• env
• vendor
• dist
• build
• target
• coverage
• __pycache__

This helps the scanner stay focused on project code rather than vendored packages and generated artifacts.

Report Output

In VS Code

The extension can export findings as a DOCX report.

The export flow prompts for:

• project name
• report date
• scan type
• optional notes

The report includes:

• executive summary
• severity summary
• findings by category
• findings by review domain
• severity-grouped overview
• detailed findings with evidence and remediation guidance
• recommendations summary
• methodology, limitations, and scan configuration

In The CLI

The CLI supports:

• plain terminal output
• json
• html
• md
• docx

Examples:

secure-review scan /path/to/repo --format json --out findings.json
secure-review scan /path/to/repo --format html --out review.html
secure-review scan /path/to/repo --format md --out review.md
secure-review scan /path/to/repo --format docx --out review.docx

Preparing Optional Scanner Tools

If you want deeper language-specific coverage, you can inspect or bootstrap recommended local tools before running a scan.

From the repository source:

npm run bootstrap:tools

To execute supported install commands:

npm run bootstrap:tools:run

The bootstrap flow is best-effort:

• it detects the languages and frameworks present in the target workspace
• it recommends matching external tools
• it runs only supported install paths
• some tools may still require manual installation depending on the operating system and package manager

Security And Privacy Notes

• Static scans operate on the repository or workspace you explicitly choose.
• Dynamic scans use OWASP ZAP through Docker and should only target developer-controlled local or test applications.
• Secure Review is designed to work locally and does not require a remote analysis service.
• External tool integrations run only when the corresponding tools are available on the machine.

Troubleshooting

No findings appear

• Lower the minimum severity threshold.
• Confirm excluded globs are not hiding the relevant files.
• Check whether built-in rules or external tool integrations are disabled.

Dynamic scan fails

• Confirm Docker is installed and running.
• Confirm the target app is reachable from Docker.
• Start with baseline mode before trying full.

A Bitbucket scan fails on a private repository

• Prefer an SSH URL such as [email protected]:workspace/repo.git
• or configure HTTPS access with the appropriate Bitbucket credentials

The editor shows too many problem decorations

• Run Secure Review: Clear Findings
• or disable VS Code problem decorations if you only want to hide the visual markers

A CLI scan seems stuck

• use the progress output to see which tool is running
• increase or lower --tool-timeout-ms depending on the workspace size and installed tools
• verify that optional tools such as semgrep or bandit are installed and working independently

Developing From Source

If you want to test the extension from source:

1. Clone the repository.
2. Run npm install.
3. Press Fn + F5 in VS Code, or launch Run Secure Review Extension from Run and Debug.
4. In the Extension Development Host, open a target project and run Secure Review: Scan Workspace.

This repository includes a deliberately vulnerable sample in sample-workspace, which is useful for smoke testing.

For Maintainers

Common maintenance commands:

npm run verify
npm run package
npm run pack:cli:dry-run
npm run pack:cli
npm run publish:npm
npm run publish:marketplace

Before releasing:

• verify package metadata in package.json
• confirm the publisher ID is correct
• validate the packaged VSIX locally
• validate the npm tarball locally if you are shipping the CLI