CLI Tool Checks
CLI tool checks require external programs installed on your machine. If a tool is not found, the check returns skip — never an error. Install only the tools relevant to your stack.
Semgrep — SAST Security
Runs semgrep scan --config auto — detects security vulnerabilities, OWASP Top 10, and code anti-patterns across 30+ languages.
Install:
pip install semgrepConfigure:
"devManager.quality.semgrep.enabled": true,"devManager.quality.semgrep.config": "auto"config options: "auto" | "p/security-audit" | path to a custom rules file.
Trivy — CVE Vulnerability Scanner
Scans dependencies, Dockerfiles, IaC configs, and secrets for known CVEs. Supports all major package ecosystems (npm, pip, cargo, go.mod, composer, gem, etc.).
Install:
winget install AquaSecurity.Trivybrew install trivycurl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/binConfigure:
"devManager.quality.builtin.trivy.enabled": true,"devManager.quality.builtin.trivy.failOnSeverity": "HIGH","devManager.quality.builtin.trivy.warnOnSeverity": "MEDIUM"ESLint Security — JS/TS Security Rules
Runs ESLint with eslint-plugin-security to detect JavaScript/TypeScript-specific security anti-patterns (prototype pollution, ReDoS, unsafe regex, eval usage, etc.).
Install:
npm i -D eslint eslint-plugin-securityConfigure:
"devManager.quality.builtin.eslintSecurity.enabled": trueNo additional configuration needed — the extension auto-detects your ESLint installation.
Bandit — Python Security
Static analysis tool for Python security issues (hardcoded passwords, SQL injection, unsafe deserialization, subprocess misuse, etc.).
Install:
pip install banditConfigure:
"devManager.quality.builtin.bandit.enabled": true,"devManager.quality.builtin.bandit.path": "bandit"Auto-skips if no Python files are found in the project.
Bearer — Sensitive Data Flow Analysis
SAST scanner that tracks how sensitive data (PII, credentials, tokens) flows through your code. Detects data leaks, insecure storage, and compliance violations.
Install (macOS/Linux):
# macOSbrew install bearer/tap/bearer
# Linuxcurl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | shConfigure:
"devManager.quality.builtin.bearer.enabled": true,"devManager.quality.builtin.bearer.path": "bearer"Windows (WSL2):
"devManager.quality.builtin.bearer.path": "wsl bearer"jscpd — Copy-Paste Detection
Detects copy-pasted code blocks across the project. Supports 50+ languages.
Install:
npm i -D jscpdConfigure:
"devManager.quality.builtin.jscpd.enabled": true,"devManager.quality.builtin.jscpd.threshold": 5,"devManager.quality.builtin.jscpd.minLines": 5threshold — duplication percentage to trigger a warning.
Knip — Dead Code Detection
Detects unused exports, files, and dependencies in JavaScript/TypeScript projects.
Auto-installed via npx — no manual install needed.
"devManager.quality.builtin.knip.enabled": truedependency-cruiser — Circular Dependencies
Detects circular import chains in JavaScript/TypeScript projects. Supports custom .dependency-cruiser.js configuration.
Auto-installed via npx — no manual install needed.
"devManager.quality.builtin.dependencyCruiser.enabled": truePackage Audit — CVE Scan via Package Managers
Runs your language’s native vulnerability audit:
| Language | Command |
|---|---|
| Node.js | npm audit / pnpm audit / yarn audit |
| Python | pip-audit |
| Rust | cargo audit |
| Ruby | bundle audit |
| Go | govulncheck |
| PHP | composer audit |
Configure:
"devManager.quality.builtin.pkgAudit.enabled": trueAutomatically detects the right tool from your lockfile.
Outdated Dependencies
Shows packages with newer versions available.
"devManager.quality.builtin.outdatedDeps.enabled": trueLicense Compliance — license-checker
Lists all dependency licenses and warns on restrictive ones (GPL, AGPL, LGPL, unknown).
Auto-installed via npx — no manual install needed.
"devManager.quality.builtin.licenseCheck.enabled": trueHadolint — Dockerfile Linting
Lints Dockerfiles for best-practice violations and security issues.
Install:
winget install hadolintbrew install hadolintcurl -sL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 \ -o /usr/local/bin/hadolint && chmod +x /usr/local/bin/hadolint"devManager.quality.builtin.hadolint.enabled": trueScans all Dockerfile and Dockerfile.* files found in the project tree.
ShellCheck — Shell Script Linting
Static analysis for Bash/sh scripts — detects bugs, portability issues, and style problems.
Install:
winget install koalaman.shellcheckbrew install shellchecksudo apt install shellcheck"devManager.quality.builtin.shellcheck.enabled": truegolangci-lint — Go Linting
Aggregates 100+ Go linters in a single fast run. Only activates when a go.mod file is found.
Install:
brew install golangci-lintwinget install golangci-lintgo install github.com/golangci/golangci-lint/cmd/golangci-lint@latest"devManager.quality.builtin.golangciLint.enabled": true,"devManager.quality.builtin.golangciLint.warnAt": 5,"devManager.quality.builtin.golangciLint.failAt": 20Stryker — Mutation Testing
Runs mutation tests to measure how well your test suite catches bugs. Only for JavaScript/TypeScript projects.
Install:
npm i -D @stryker-mutator/core @stryker-mutator/jest-runner"devManager.quality.builtin.stryker.enabled": false