It is beyond madness and well into "intentionally negligent" to release a plugin system without a permissions model in, like, the last 20 years. Can't believe people aren't up in arms about how wide open vscode and similar things are, particularly now that docker is widespread.

Thanks for building a scanner! I wish it wasn't necessary :/

You should definitely show the vulnerabilities you found on the front page, instead of showcasing low scores given to popular extensions. Claiming that "rust-analyzer" is "High Risk" is a strong turn-off from me thinking your service is useful (why? because it contains shell commands in the form of "taskDefinitions", and because it uses a dependency to parse ANSI sequences that hasn't received a commit in the past 90 days).

This is really cool and I can see a ton of opportunities to leverage this in the enterprise. Using the scanner, does it scan what's on the marketplace as opposed to what's already installed?

I think someone had already mentioned that it would be useful to have this as an extension to scan existing installed extensions but would there be a way to scan just prior to extension installation?

Using this is kind of a pain in the butt (looking thru all installed extensions and pasting in the raw name one by one). Could this be packaged as an extension itself, that scans other extensions? Or provide a CLI command to export all of your installed extensions as a list, which you can then upload? Or better, a one liner that will export your extensions to stdin, POST them to your API, and it will return a URL that you can click and load in the browser to explore the breakdown of (potential) issues.

This is awesome. I would love to prove it, but your page (vscan.dev) is broken. One qq, why is this tool closed-source? I think that to achieve the community trust in tools like this one, it would be great if this could be open-source. Maybe you can monetize it as an open-core model.

I'm having a hard time seeing the value of this scoring. It seems to automatically give bad scores out of some heurestics involving executing shell commands?

Take for example:

streetsidesoftware.code-spell-checker, 14.5M installs,

Score 81 out of 100.

Major scoring factor is "Contributes functionality via 'terminal'."

It seems to me that this will give wildly inaccurate scores.

Nice work! This has actually been an open feature request since 2018 [0]. I've been wanting something like this for a while.

[0] https://github.com/microsoft/vscode/issues/52116

I'd love a version of this where I can paste my full list of extensions, instead of a box where I can only paste one. The latter is tedious, so I'm not that likely to do it.

A lot of directions you could take this. Free/Commercial. Thoughts?

Would be interesting to get more details on the sandbox.

i wish the detail links on each analysis tile were real links, instead of some apparently weird javascript. seems broken in firefox

it would also be nice if i could expand all the analysis detail at once, instead of just one section at a time.

That's concerning. What is Microsoft doing about it? Have you contacted them?

vscodevim got 71/100 high risk. That's a pretty common one.

I applaud the idea and love that you made this freely available without bolting on a SaaS subscription on top of it.

However, I always roll my eyes when I see high severity risk in dependency chains due to ReDoS vulnerabilities. Sure, it matters for a web server maybe, but code running in a CLI tool, browser app, VSCode extension, or even a serverless lambda runtime really won't be affected much. More often than not, I find the `npm audit` risk classifications to be nonsense.

Finally we have something like this. This is very good work