The best time to catch a supply chain risk is before the code leaves the developer's machine. The second best time is during code review. The worst time is in production.
The Safeguard IDE extension for Visual Studio Code brings supply chain intelligence directly into the editor, so developers see risks at the point where they can act on them most cheaply.
What the Extension Does
The extension integrates with your Safeguard account and provides four capabilities inside VS Code.
Dependency Inline Annotations
When you open a package manifest file (package.json, pom.xml, requirements.txt, go.mod, Cargo.toml, and others), the extension annotates each dependency with its current status. Inline decorations show:
- Vulnerability count and severity -- A red indicator for critical/high, yellow for medium, green for clean
- Health score -- The Open Source Manager health rating, so you can see at a glance which dependencies are well-maintained
- Available updates -- Whether a newer version exists that addresses known vulnerabilities
These annotations update in real time. As you add a new dependency or change a version number, the extension queries Safeguard and updates the annotation within seconds.
The annotations are intentionally unobtrusive -- colored dots and hover information, not modal dialogs. They inform without interrupting. When you want details, hover over the annotation to see the full vulnerability list, health breakdown, and recommended version.
Vulnerability Detail Panel
Clicking on a vulnerable dependency opens a detail panel that shows every known vulnerability affecting that component version. Each entry includes the CVE identifier, severity score, description, affected version range, and whether a fix is available.
The panel also shows the dependency context: which of your project's dependencies pulls in the vulnerable component. This is critical for transitive dependencies, where the vulnerable component is not one you directly chose. If lodash 4.17.15 has a vulnerability and it is pulled in by three of your direct dependencies, the panel shows you which ones, so you know where to focus your update effort.
Policy Check on Save
The extension can run policy checks when you save a manifest file. If your organization has policies that restrict certain licenses, block specific component versions, or enforce freshness requirements, the extension evaluates those policies against your updated dependency list and surfaces violations as editor diagnostics.
Violations appear in the Problems panel alongside your linting errors and TypeScript issues. This normalizes supply chain policy as just another quality check, integrated into the same workflow developers already use.
Quick Fix Actions
For common issues, the extension offers quick fix actions. If a dependency has a known vulnerability and a patched version exists, the quick fix updates the version number in your manifest. If a dependency violates your license policy and an alternative is available, the quick fix suggests the alternative.
Quick fixes do not apply automatically. They are suggestions that the developer accepts or rejects. The goal is to reduce the friction of remediation, not to take control away from the developer.
Supported Ecosystems
The extension supports the major package ecosystems:
- JavaScript/TypeScript -- package.json, yarn.lock, pnpm-lock.yaml
- Python -- requirements.txt, Pipfile, pyproject.toml, poetry.lock
- Java -- pom.xml, build.gradle, build.gradle.kts
- Go -- go.mod, go.sum
- Rust -- Cargo.toml, Cargo.lock
- Ruby -- Gemfile, Gemfile.lock
- .NET -- *.csproj, packages.config, Directory.Packages.props
- PHP -- composer.json
Each ecosystem has specific parsing logic that understands the manifest format and version specification conventions. The extension resolves version ranges to the actual version that would be installed, so the vulnerability data reflects what you would actually get, not just what the range allows.
Performance Considerations
IDE extensions that slow down the editor do not get adopted. We spent significant engineering effort on performance.
Dependency analysis is cached and updated incrementally. When you open a manifest file, the extension checks its local cache first. If the file has not changed and the cache is recent, annotations appear instantly. If the file has changed, only the changed dependencies are re-evaluated.
Network requests to the Safeguard API use batching. Instead of one API call per dependency, the extension batches all dependencies in a manifest into a single request. For a package.json with 50 dependencies, that is one API call, not 50.
Background refresh keeps the cache current without blocking the editor. When new vulnerability data is available for components in your project, the cache is updated in the background and annotations refresh silently.
The result is sub-second annotation rendering for typical projects, with no perceptible editor lag.
Configuration
The extension settings cover authentication, display preferences, and behavior:
{
"safeguard.token": "",
"safeguard.showInlineAnnotations": true,
"safeguard.checkOnSave": true,
"safeguard.severityThreshold": "medium",
"safeguard.showHealthScores": true
}
severityThreshold controls which vulnerabilities trigger annotations. If you set it to "high", medium and low severity issues are suppressed from inline display (though still visible in the detail panel). This helps reduce noise for teams that want to focus on the most critical issues first.
Team Usage
The extension respects your organization's Safeguard policies. When multiple developers on a team install the extension and connect to the same Safeguard organization, they all see the same policies, the same health data, and the same vulnerability intelligence. This creates consistency: what one developer sees as a policy violation is the same thing the CI/CD pipeline will catch.
For teams that want to standardize on the extension, VS Code's recommended extensions feature lets you add it to the .vscode/extensions.json file in your repository:
{
"recommendations": [
"safeguard-sh.safeguard-vscode"
]
}
New team members are prompted to install the extension when they open the project.
The Shift-Left Argument
"Shift left" has become a buzzword, but the underlying principle is sound: catching issues earlier in the development process is cheaper than catching them later. A vulnerability caught in the IDE costs the developer 5 minutes to address. The same vulnerability caught in CI/CD costs 30 minutes (context switch, pipeline rerun, re-review). The same vulnerability caught in production costs days of incident response.
The IDE extension is the leftmost shift possible for supply chain security. It puts the information in front of the developer while they are actively working on the relevant code, with the relevant file open, with the context fresh in their mind.
It does not replace CI/CD checks -- those are your enforcement layer. But it dramatically reduces the number of issues that reach CI/CD, which means faster builds, less rework, and happier developers.
Installation
Search for "Safeguard" in the VS Code extensions marketplace, or install from the command line:
code --install-extension safeguard-sh.safeguard-vscode
Connect your Safeguard account through the extension settings, and you will start seeing annotations immediately on your next manifest file open.