Security Tools
Built-in security scanning for secrets, dependencies, code vulnerabilities, and infrastructure-as-code.
Secret Scanning
QCoder includes a built-in secret scanner that detects leaked credentials in your codebase. The scanner checks for 16 common secret patterns:
| Pattern | Example |
|---|---|
| --- | --- |
| AWS Access Key | AKIA... |
| AWS Secret Key | 40-character base64 string |
| GitHub Token | ghp_..., gho_..., ghs_... |
| GitHub Fine-Grained Token | github_pat_... |
| Slack Token | xoxb-..., xoxp-... |
| Slack Webhook | https://hooks.slack.com/services/... |
| Stripe Secret Key | sk_live_..., sk_test_... |
| Stripe Publishable Key | pk_live_..., pk_test_... |
| JWT Token | eyJ... (base64-encoded JSON) |
| Generic API Key | api_key=..., apikey=... |
| Generic Secret | secret=..., password=... |
| Private Key | -----BEGIN RSA PRIVATE KEY----- |
| Google API Key | AIza... |
| Azure Connection String | DefaultEndpointsProtocol=... |
| Database URL | postgresql://..., mysql://... with password |
| SSH Private Key | -----BEGIN OPENSSH PRIVATE KEY----- |
The scanner runs on-demand via the scan_secrets tool or can be triggered from the Command Palette with QCoder: Scan for Secrets.
Dependency Scanning
QCoder uses [Grype](https://github.com/anchore/grype) to scan your project's dependencies for known vulnerabilities.
How it works:
1. The AI calls the scan_dependencies tool (or you run it from the Command Palette).
2. QCoder parses your lock files (package-lock.json, yarn.lock, Pipfile.lock, Cargo.lock, etc.).
3. Dependencies are checked against vulnerability databases (NVD, GitHub Advisories, OSV).
4. Results are reported with severity levels (Critical, High, Medium, Low) and CVE identifiers.
Findings appear in the VS Code Problems panel and are formatted using SARIF (Static Analysis Results Interchange Format) for easy integration with CI/CD pipelines.
Code Security Scanning (SAST)
Static Application Security Testing identifies common vulnerability patterns in your source code:
- SQL injection
- Cross-site scripting (XSS)
- Path traversal
- Command injection
- Insecure deserialization
- Hardcoded credentials
- Weak cryptographic usage
The scanner uses pattern matching and data-flow analysis to detect potential issues. Results include the file location, a description of the vulnerability, and suggested remediation steps.
Infrastructure-as-Code Scanning
The scan_iac tool checks your infrastructure configuration files for security misconfigurations:
- Terraform -- Checks for public S3 buckets, open security groups, missing encryption.
- Docker -- Checks for running as root, exposed ports, secrets in build args.
- Kubernetes -- Checks for privileged containers, missing resource limits, default service accounts.
- CloudFormation -- Checks for insecure resource configurations.
This helps catch security issues before they make it to production.
Security Dashboard
All security findings from all scanners are aggregated and reported through:
- VS Code Problems Panel -- Findings appear as warnings or errors with file locations. Click to navigate directly to the issue.
- SARIF Output -- Machine-readable output compatible with GitHub Code Scanning, Azure DevOps, and other CI/CD tools.
- Chat Summary -- When the AI runs security tools, it provides a summary of findings with severity counts and recommended actions.
You can configure scan exclusions (e.g., test files, vendor directories) in your project's .qcoderrules file.