contract-guard helps you find security and reliability issues in code, configs, queries, Dockerfiles, and dependency files without leaving VS Code.
- Scan the current file
- Scan the full workspace
- Show findings in a dedicated explorer view
- Publish inline diagnostics in the editor
- Export SARIF for external security workflows
- Show an overall security score in the status bar
- Filter low-confidence fixture/doc/test findings by default
- Continue scans when one analyzer has a runtime problem
- JSON schema drift, including type mismatches, optional fields, and nullable values across samples.
- SQL query risks (for example:
SELECT *, missingWHEREinDELETE, unsafe patterns). - Regex complexity and ReDoS risks, including nested quantifiers and deep backtracking.
- Hardcoded secrets like API keys, tokens, private keys, DB URLs, and JWTs.
- PII exposure such as SSNs, credit cards, emails, phones, and DOBs.
- Insecure configuration (debug enabled, weak defaults, open CORS, TLS disabled).
- Dockerfile issues like root user, latest tags, hardcoded secrets, and SSH exposure.
- Dependency vulnerabilities in Python
requirements.txt/pyproject.tomland npm lockfiles.
ContractGuard: Scan WorkspaceContractGuard: Scan Current FileContractGuard: Export SARIFContractGuard: Clear FindingsContractGuard: Install Python Runtime Dependencies
- Python 3.11 or newer
If the Python runtime dependencies are missing, run:
ContractGuard: Install Python Runtime Dependencies
contractguard.pythonPathcontractguard.scanOnSavecontractguard.scanDebounceMscontractguard.scanOnSaveScopecontractguard.enabledAnalyzerscontractguard.disabledRulescontractguard.minimumConfidencecontractguard.includeFixturescontractguard.rulesDirectorycontractguard.sqlExplainDatabase
- The extension runs analysis locally.
- The default minimum confidence is
medium; uselowfor audit mode when you want sample/test fixtures included. - Set
contractguard.includeFixturesto include findings from docs/tests/samples. - SARIF export is available for CI and external security tooling.