The Socket VS Code Extension is available in the VS Code extension marketplace and OpenVSX registry.

Settings

The extension comes with various settings that can be configured by looking in your editor preferences under the "Extensions" tab "Socket Security" section.

These settings can adjust which issues are shown and can disable reports if desiring to work in a zero network configuration.

Team Management

It may be desirable to suggest installing the VS Code extension for any team member. This can be done by adding a Workspace Recommended Extension in the .vscode/extensions.json file of the workspace root directory:

{
  "recommendations": [
    "SocketSecurity.vscode-socket-security"
  ]
}

Limitations

Requires an internet connection for reports on package manifest files. This is to access the Socket API for analysis. Some analysis such as bin confusion cannot be done using a reference to a single dependency.

The extension only works on local files and does not integrate any organization level setting like the GitHub App does. This will likely change in the future.

The extension only works on the current files on disk and not historical data. If you need historical diffing or other tracking features use the Github App.

Auth and Permissions

The extension will use an API token for creating tokens if setup to do so; however, it will function without providing an API token. The extension will try to use the same configuration as the CLI on disk. The API tokens used by the extension require the following scopes:

• report:read
• report:write