DigitSec Visual Studio Code Extension
The VS Code plugin allows developers to bring DigitSec directly into their VS Code workflow. We have integrated several important commands directly into the VSCode Command Palette, allowing Developers to quickly connect to DigitSec and start running scans on their entire project code base, a single file, or with every "Save" command. Vulnerability Reports are delivered within the VS Code IDE with clickable links to find flagged code snippets and with access to remediation guidance. Developers who rely on VSCode can now leverage security scan data without ever leaving their IDE.
Installation Instructions
- Please launch Visual Studio code and select the extension icon
- In the Extensions Marketplace Search Bar, please enter "digitsec"
- Click the install button. After the extension has completed installation, please press "CTRL + SHIFT + P" to open the Command Palette and use the command “Reload Window”.
Details
This is the Digitsec Security Plugin scan extension. You can install this extension and run scans on your current working directory to find issues within your code. This extension will scan all Salesforce files looking for vulnerabilities that could have been coded into your program.
Features
This Extension can be run against the current working directory to find vulnerabilities in your software.
Create Credentials
To start using this plugin, please login to the DigitSec platform and navigate to the Workspace you wish to use and click on the Integrations --> API tab.
Please copy the API Token that appears in the Input box by using the Copy Icon or by selecting all of the hidden text that appears in the box.
Now, switch to using VS Code. Use CTRL+Shift+P or the View-->Command Palette top menu option to find "DigitSec: Login to App." This will open a window in your VS Code workspace that will present you with an input field to paste the API Token you just copied. Once you have entered the Token, hit the submit button. In the lower right-hand corner of your VS Code application, you will see notification messaged indicating login status.
Run Security Scan on root directory
To run this extension, please open the Command Palette and then type in DigitSec. Click the “Run Security Scan” command. Wait a few minutes. Once the scan is completed, VSCode will display popups showing the findings results.
After your scan has completed, you will get a breakdown of your findings that looks like this:
Note that these scan results are saved to the Workspace environment in the Web App. If you would like to get a more in-depth breakdown of your vulnerability scan, the results of your scan will be added to the problems tab within VScode. These links can be clicked to take you to the line in your code where the vulnerability was found.
If you would like to find remediation steps for each of the vulnerabilities found within your code base, you can look at the Output tab, making sure to use the the drop-down menu select "DigitSec".
Run Security Scan open file
To run this extension, please open the Command Palette, then type in "DigitSec". Select the “Security Scan Open File” command. Wait a few minutes. Once the scan is completed, VSCode will display popups showing the findings results.
Run S4 Scan on file save
To enable this extension to scan your open file whenever you save a file, please open the DigitSec extension settings and check the box that says “Turns on/off scan on save functionality”. You can access the extension settings by accessing your installed extensions, finding "digitsec" in the list and clicking on the sprocket icon to open the context menu, then select "Extension Settings."
FAQ
Q. I'm using a remote repository for my code. Are there any special considerations I should keep in mind?
A. When you add an s4creds.json file to your project after using the Login to S4 command, you are storing an authenticated token in your codebase. For best practice, you will need to make sure you add s4creds.json to your .gitignore file so that file isn't synchronized back to your remote repository.
Q: When trying to run commands, we get an error message that says there is an error with our certs, what are we supposed to do to correct this?
A: Sometimes the certificates stored on your computer expire. You will need to remove expired certificates for this extension to run properly. Please open the certificate store on your computer and follow the instructions for your appropriate operating system:
Mac:
- Open Keychain Access
- Click View > Show Expired Certificates
- Sort login keychain by expiry date
- Find the AddTrust certificate that has already expired and delete it
- Your extension should work as intended now
Windows:
- Open Manage User Certificates. You can do this by pressing Windows+R and entering certmgr.msc
- In the left-hand menu, expand the "Trusted Root Certification Authorities" node.
- Find the AddTrust certificate that has already expired and delete it
- Your extension should work as intended now
Linux:
- Open terminal
- Run the command “sudo apt-get upgrade”
- Run the command “sudo apt-get update”
This document was last updated 2024-03-19