Guides

Security Scanning

Catch leaked secrets, vulnerable dependencies, and risky configurations before they ship.

Secret Detection

QCoder scans your workspace for credentials that should never be committed: cloud provider keys, payment processor secrets, signing tokens, database URLs with embedded passwords, private keys, and dozens of other patterns common to modern codebases.

Run it on demand from the Command Palette, wire it into your pre-commit hook, or let the AI invoke it as part of an audit. Matches are reported with file location, line number, and the pattern category so you can rotate the credential and remove it from history.

Dependency Vulnerability Scanning

Every project depends on hundreds of packages you didn't write. QCoder reads your lock files, compares the resolved versions against active vulnerability databases, and flags anything with a known issue.

You get severity (Critical, High, Medium, Low), CVE identifier where one exists, and the upgrade path that fixes it. Output is machine-readable so it plugs cleanly into your CI pipeline and security dashboards.

Source Code Analysis

Static analysis sweeps your source for the patterns attackers actually exploit:

  • SQL injection
  • Cross-site scripting
  • Path traversal
  • Command injection
  • Insecure deserialization
  • Hardcoded credentials
  • Weak cryptography

Findings include the precise location, an explanation of why it's risky, and a concrete remediation step. No "review this for security" hand-waving.

Infrastructure-as-Code Scanning

Misconfigured infrastructure is how most production incidents actually start. QCoder reviews your declarative configs for the issues that matter:

  • Cloud resources unintentionally exposed to the public internet
  • Storage without encryption at rest
  • Containers running as root or with excess privileges
  • Overly broad IAM permissions
  • Secrets baked into image layers
  • Missing audit logging

Catch the misconfig at PR time, not at 3 a.m. after the page fires.

Unified Findings

Every scanner reports into one place. View results inline in the editor with click-to-navigate, export to a machine-readable format your CI pipeline already understands, or let the AI summarize findings for you with severity counts and a prioritized fix list.

Exclusions, suppressions, and policy thresholds are configurable per project, so noisy paths (vendored code, generated files) stay out of the report.