The Safeguard VS Code extension moves supply chain checks from the CI wall-of-red to the spot where you actually write code. You get inline warnings on risky dependencies, AI-generated fix suggestions, and SBOM previews before you ever push a commit. This walkthrough gets you from zero to a working setup in about fifteen minutes.
What Do I Need Before Installing?
You need VS Code 1.85 or later, a Safeguard account (the free tier works fine), and a project checked out locally with a package manifest Safeguard understands: package.json, requirements.txt, pyproject.toml, go.mod, pom.xml, Cargo.toml, or build.gradle. Node.js 18+ is only needed if you want the local scan cache — the extension works without it by talking to the Safeguard API directly.
Step 1: Install the Extension
Open VS Code, press Ctrl+Shift+X (or Cmd+Shift+X on macOS), and search for "Safeguard". Install the publisher "Safeguard Technologies" — there are a couple of lookalikes with similar names, so verify the publisher before clicking install.
Alternatively, install from the command line:
code --install-extension safeguard.safeguard-vscode
After install, reload the window. You'll see a small shield icon in the activity bar on the left. That's your new home for supply chain findings.
Step 2: Authenticate
Click the Safeguard shield icon, then click Sign in. A browser window opens to https://app.safeguard.sh/auth/device. Confirm the one-time code shown in VS Code, and you're linked. Credentials are stored in the OS keychain (Keychain on macOS, Credential Manager on Windows, libsecret on Linux) — not in plaintext on disk.
If your org uses SSO, click Sign in with SSO instead and enter your organization slug. The SSO flow respects SCIM group mappings, so your role and project visibility come from your IdP.
Step 3: Configure Scan Behavior
Open your workspace .vscode/settings.json and add the Safeguard block. These are the settings most teams adjust:
{
"safeguard.scan.onSave": true,
"safeguard.scan.onOpen": true,
"safeguard.severity.threshold": "medium",
"safeguard.ecosystems": ["npm", "pypi", "go"],
"safeguard.sbom.format": "cyclonedx-json",
"safeguard.ai.fixSuggestions": true,
"safeguard.telemetry": "errors-only"
}
scan.onSave is debounced, so saving five files in a row only triggers one scan. severity.threshold filters the squiggles — setting it to medium keeps low-noise advisories out of your editor but still flags medium, high, and critical. Turn ai.fixSuggestions off if your compliance team prohibits sending manifest data to remote models.
For a mono-repo, you can constrain what gets scanned via the safeguard.scan.paths array. That keeps the extension from crawling vendored third-party directories you don't control.
Step 4: Run Your First Scan
Open any file with a dependency import. For example, in a Node project, open package.json. Within a second or two, vulnerable or suspicious dependencies will be underlined with a colored squiggle. Hover over one to see:
- CVE ID and CVSS score
- Affected versions and the first fixed version
- A short explanation of the vulnerability class
- A suggested upgrade command
If the file you opened doesn't have issues, run Safeguard: Scan Workspace from the command palette (Ctrl+Shift+P). This performs a full manifest-aware scan and populates the Safeguard panel with a tree of findings grouped by severity.
Step 5: Generate and Inspect an SBOM
From the command palette, run Safeguard: Generate SBOM. The extension builds a CycloneDX SBOM by resolving your lockfile (it won't guess from the manifest — lockfiles are required for accuracy). The SBOM is written to .safeguard/sbom.cdx.json and opened in a read-only preview pane.
You can diff SBOMs between branches with Safeguard: Compare SBOM. This is especially useful during code review — you see exactly what dependency graph changes a PR introduces, including transitive adds that the PR author probably didn't know about.
Step 6: Apply an AI Fix Suggestion
Click the lightbulb next to an underlined dependency. If a fix is available, you'll see options like:
- Upgrade to 4.18.2 — the minimum non-vulnerable version in the same major
- Replace with
lodash-es— a suggested drop-in alternative for abandoned packages - Pin with integrity hash — adds a subresource integrity hash to your lockfile
The extension runs the upgrade through your package manager (npm install lodash@4.18.2, poetry add, etc.) and re-scans automatically. If the fix would break a peer dependency constraint, you'll see that in the preview before applying.
How Do I Scan a File That's Not a Manifest?
Run Safeguard: Scan Active File on any source file, and the extension extracts import statements and cross-references them against your project's resolved dependency graph. This catches cases like a developer importing request in code when the manifest already replaced it with node-fetch — Safeguard flags the orphan import, which usually means someone pasted code from an old Stack Overflow answer.
For notebook files (.ipynb), the extension scans each cell's imports. For Dockerfiles, it parses FROM, RUN pip install, RUN npm install, and similar lines. You can see the list of supported parsers via Safeguard: Show Ecosystem Support.
What If My Project Has No Internet Access?
Safeguard supports an offline mode using a local advisory cache. Point the extension at your air-gapped mirror:
{
"safeguard.endpoint": "https://safeguard.internal.corp",
"safeguard.offline.cachePath": "/var/safeguard/cache",
"safeguard.offline.maxAgeHours": 72
}
The advisory cache is a signed, content-addressable bundle your security team can sync on whatever cadence they want. The extension will warn you in the status bar when the cache is older than maxAgeHours, so you don't accidentally trust stale data.
How Do I Turn Off Noisy Findings?
There are three ways, in order of preference. First, raise severity.threshold — most teams don't need to see low-severity findings during active development. Second, add an ignore rule to .safeguard/ignore.yaml in the repo:
rules:
- id: CVE-2024-21538
reason: "Not reachable from our code path — see SEC-1482"
expires: "2026-06-01"
reviewer: "shadab@example.com"
Third, for a single line, add a trailing comment: "lodash": "4.17.20" // safeguard-ignore: CVE-2024-21538 until=2026-04-01. Expiry dates are required so ignores don't pile up forever. When an ignore expires, the finding re-appears and the extension surfaces it as a new issue.
How Do I Share Findings With My Team?
Right-click any finding in the Safeguard panel and choose Copy Share Link. This generates a URL scoped to your org that opens the finding in the Safeguard web portal. Anyone with access to the project can see the same context — reproduction manifest, affected paths, remediation plan — which is dramatically more useful than pasting CVE IDs into Slack.
For async review, Safeguard: Export Report produces a Markdown file you can attach to a ticket. The report includes suggested fixes, so a reviewer can approve a remediation PR without re-running the scan themselves.
How Safeguard.sh Helps
The VS Code extension is the shortest path between a developer spotting risk and fixing it. By rendering findings inline, sharing the same advisory data your CI uses, and offering machine-applied upgrades, Safeguard collapses the feedback loop that usually takes a full CI cycle. You catch the critical RCE before you open a PR, not after it's been reviewed and merged. Combined with the Safeguard CLI and GitHub Actions gate, the IDE extension is the developer-facing layer of a consistent supply chain posture — same policies, same ignore rules, same SBOM format everywhere.