Files
wehub-resource-sync 0d3cb498a3
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Waiting to run
Test and Publish Multi-arch Docker Image / test (push) Waiting to run
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Blocked by required conditions
Validate Renovate Config / Validate Renovate Configuration (push) Waiting to run
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

4.8 KiB

title, sidebar_label, sidebar_position, description, keywords
title sidebar_label sidebar_position description keywords
VS Code Extension VS Code Extension 4 Detect LLM security vulnerabilities in VS Code with real-time scanning. Find prompt injection, jailbreak risks, and PII exposure as you code.
vscode extension
VS Code security scanner
LLM security
prompt injection detection
code scanning IDE
real-time security scanning
enterprise

VS Code Extension

The Promptfoo Security Scanner for VS Code detects LLM security vulnerabilities directly in your editor. It finds prompt injection risks, jailbreak vulnerabilities, PII exposure, and other security issues as you code—before they reach your CI pipeline or production.

VS Code extension showing inline security diagnostics

:::info Enterprise Feature The VS Code extension is available for Promptfoo Enterprise customers. Contact us to get access for your organization. :::

Features

  • Real-time scanning: Automatically scans files on save
  • Inline diagnostics: Security issues appear as squiggly underlines in your code
  • Problems panel: All findings listed in VS Code's Problems panel
  • CodeLens annotations: Inline severity indicators above vulnerable code
  • Quick fixes: Apply suggested fixes with one click
  • AI assistance: Get AI-generated prompts to help fix complex issues
  • Git diff scanning: Scan all changed files in your branch

Getting Started

  1. Contact us to get the extension package (.vsix file)
  2. Install in VS Code: Extensions → ⋯ → Install from VSIX
  3. Configure your API key: Cmd+Shift+P → Promptfoo: Configure API Key

Usage

Automatic scanning: Files are scanned when you save. Findings appear as inline diagnostics in your code and in the Problems panel.

Manual scanning: Use the Command Palette (Cmd+Shift+P):

  • Promptfoo: Scan Current File — Scan the active file
  • Promptfoo: Scan Selection — Scan selected code
  • Promptfoo: Scan Git Changes — Scan all changed files in your branch
  • Promptfoo: Clear All Scan Results — Clear all diagnostics
  • Promptfoo: Show Output — Show the extension's output channel

Keyboard Shortcuts

Shortcut Command
Ctrl+Shift+P F (Mac: Cmd+Shift+P F) Scan current file

Context Menu

Right-click in the editor to access:

  • Scan Current File — Scan the entire file
  • Scan Selection — Scan only the selected code (when text is selected)

Configuration

Configure the extension in VS Code Settings or in your settings.json:

Setting Description Default
promptfoo.apiHost Promptfoo API host URL https://api.promptfoo.app
promptfoo.minimumSeverity Minimum severity to display low
promptfoo.scanOnSave Auto-scan files on save true
promptfoo.scanOnSaveDebounceMs Debounce delay for auto-scan 1500
promptfoo.diffsOnly Only analyze code diffs true
promptfoo.showCodeLens Show inline CodeLens annotations true
promptfoo.enabledLanguages Languages to scan See below

Example settings.json

{
  "promptfoo.minimumSeverity": "medium",
  "promptfoo.scanOnSave": true,
  "promptfoo.scanOnSaveDebounceMs": 2000,
  "promptfoo.showCodeLens": true
}

Supported Languages

By default, the extension scans:

  • JavaScript / TypeScript (including JSX/TSX)
  • Python
  • Go
  • Java
  • Rust
  • Ruby
  • PHP
  • C#
  • C/C++

Customize with the promptfoo.enabledLanguages setting. An empty array enables scanning for all languages.

Severity Levels

Findings are classified by severity:

Level Icon Description
Critical 🔴 Immediate security risk
High 🟠 Significant vulnerability
Medium 🟡 Moderate concern
Low 🔵 Minor issue or best practice

Use the promptfoo.minimumSeverity setting to filter out lower-severity findings.

Privacy

Code is sent to Promptfoo's servers for analysis and is not stored after analysis completes. For organizations that need to run scans on their own infrastructure, the extension works with Promptfoo Enterprise On-Prem.

See Also