The Socket VS Code Extension is available in the VS Code extension marketplace and OpenVSX registry.

Settings

The extension comes with various settings that can be configured by looking in your editor preferences under the "Extensions" tab "Socket Security" section.

These settings can adjust which issues are shown and can disable reports if desiring to work in a zero network configuration.

Team Management

It may be desirable to suggest installing the VS Code extension for any team member. This can be done by adding a Workspace Recommended Extension in the .vscode/extensions.json file of the workspace root directory:

{
  "recommendations": [
    "SocketSecurity.vscode-socket-security"
  ]
}

Limitations

• Requires an internet connection for reports on package manifest files. This is to access the Socket API for analysis. Some analysis, such as bin confusion, cannot be done using a reference to a single dependency.

• The extension only works on local files and does not integrate any organization-level settings like the GitHub App does. This will likely change in the future.

• The extension only works on the current files on disk and not historical data. If you need historical diffing or other tracking features, use the GitHub App.

.

Auth and Permissions

The extension can be configured to use an API token for authentication. While the extension will still function without an API token, providing one enables additional functionality. By default, it will reuse the same configuration already set up in the CLI.

The API token requires the following scopes:

• report:read
• report:write