Developers do not want to context-switch to a security dashboard. They never have, and no amount of gamification or "developer-friendly UIs" will change that. The only security feedback that consistently gets acted on is the feedback that appears where developers already work: in the editor, in the terminal, in the pull request.
That is the design principle behind the Safeguard IDE Extension, and v5 represents the most significant update since the extension's initial release. This article covers what changed, the technical decisions behind those changes, and how to get the most out of the new capabilities.
What Is New in v5
Real-Time Dependency Scanning
Previous versions of the extension ran dependency scans on-demand or on file save. v5 introduces continuous background scanning. When you add a dependency to package.json, requirements.txt, go.mod, pom.xml, or any other supported manifest, the extension evaluates it within seconds.
The scan runs locally using an embedded vulnerability database that syncs incrementally. This means you get results without sending your dependency tree to an external service on every keystroke. Full scans against the Safeguard backend happen on save and on commit, providing both speed and completeness.
If a newly added dependency has known vulnerabilities, you see an inline diagnostic immediately. The diagnostic includes the CVE identifier, CVSS score, EPSS score, and whether a fixed version exists. You do not need to leave your editor to understand the risk.
Inline SBOM Generation
v5 can generate a CycloneDX or SPDX SBOM directly from the IDE. This is useful for developers who want to inspect their project's dependency graph without running CLI commands or CI pipelines.
The generated SBOM appears in a dedicated panel with a tree view of components, licenses, and vulnerabilities. You can export it as JSON or XML, share it with teammates, or upload it to the Safeguard platform for policy evaluation.
The SBOM generation uses the same engine as the Safeguard CLI, ensuring consistency between local development and CI/CD results.
Policy Gate Preview
One of the most common developer frustrations with security tooling is finding out in CI that a policy check failed, after they have already committed and pushed. v5 addresses this with policy gate previews.
The extension pulls your organization's active policy gates from the Safeguard platform and evaluates them locally against your current project state. If your organization requires no Critical vulnerabilities in production dependencies, the extension shows you which dependencies would fail that check before you commit.
Policy previews appear as a summary in the status bar and as detailed diagnostics in the Problems panel. Each failing policy includes the policy name, the triggering condition, and a suggested remediation (usually upgrading to a specific version).
License Compliance Checks
v5 adds license detection and compliance checking. The extension identifies the license for each dependency and flags any that conflict with your organization's approved license list.
This is particularly useful for organizations with strict open source policies. Instead of discovering a GPL-licensed transitive dependency during legal review weeks before a release, developers see the license conflict the moment the dependency is added.
Technical Architecture
Extension Host and Language Server
The v5 extension uses a language server protocol (LSP) architecture. The extension host (the part that runs in VS Code or JetBrains) handles UI concerns: diagnostics, code lenses, tree views, and status bar items. The language server handles analysis: parsing manifests, resolving dependency trees, querying vulnerability databases, and evaluating policies.
This separation has practical benefits. The language server runs in its own process, so heavy analysis work does not block the editor UI. It also means the same language server can power both VS Code and JetBrains extensions with minimal platform-specific code.
Vulnerability Database Sync
The embedded vulnerability database uses an incremental sync strategy. On first launch, the extension downloads a compressed snapshot of the vulnerability database (approximately 50 MB). On subsequent launches, it downloads only the delta -- new CVEs, updated scores, and revoked entries since the last sync. A typical daily delta is under 1 MB.
The database is stored locally in the extension's global storage directory. It includes CVE identifiers, CVSS vectors, EPSS scores, affected version ranges, and fixed versions for all indexed packages across npm, PyPI, Maven Central, Go modules, Cargo, NuGet, and RubyGems.
Authentication and Workspace Binding
The extension authenticates against the Safeguard platform using OAuth 2.0 with PKCE. On first use, the extension opens a browser window for authentication. The resulting token is stored securely in the OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service).
Workspaces can be bound to Safeguard projects, which enables project-specific policy evaluation and vulnerability tracking. Binding is done through the command palette or automatically when the extension detects a .safeguard.yml configuration file in the project root.
Configuration
safeguard.yml
The extension reads configuration from a .safeguard.yml file in the project root. Key settings include:
project_id: "proj_abc123"
scan:
exclude_dev_dependencies: true
exclude_patterns:
- "test/**"
- "docs/**"
sbom:
format: "cyclonedx"
version: "1.5"
policy:
fail_on: "critical"
ignore:
- "CVE-2024-12345" # False positive, not reachable
If no configuration file exists, the extension uses sensible defaults: scan all dependencies, CycloneDX 1.5 format, and apply organization-wide policies.
VS Code Settings
Extension behavior can also be customized through VS Code settings:
safeguard.scanOnSave: Enable or disable scanning on file save (default: true).safeguard.backgroundScan: Enable continuous background scanning (default: true).safeguard.severityThreshold: Minimum severity level for inline diagnostics (default: "medium").safeguard.showEpssScores: Display EPSS scores alongside CVSS in diagnostics (default: true).
Workflow Integration
Pre-Commit Checks
v5 integrates with Git hooks through the Safeguard CLI. When you run git commit, the pre-commit hook evaluates the current dependency state against your policies. If a policy gate fails, the commit is blocked with a clear message explaining which policy failed and how to resolve it.
This is not a replacement for CI/CD scanning. It is an early warning system that catches issues before code leaves the developer's machine.
Pull Request Annotations
When the Safeguard GitHub App is installed, the extension can show which vulnerabilities would appear as PR annotations before you push. This gives you a preview of the security review feedback you will receive, allowing you to address issues proactively.
Performance
Performance was a primary design goal for v5. Key benchmarks on a mid-range developer machine:
- Initial scan of a Node.js project with 1,200 dependencies: Under 3 seconds.
- Incremental scan after adding one dependency: Under 500 milliseconds.
- SBOM generation for the same project: Under 2 seconds.
- Policy evaluation: Under 200 milliseconds.
- Memory overhead: Approximately 80 MB for the language server process.
These numbers reflect the benefit of local analysis with a synced database. Network latency only affects the initial database download and incremental syncs.
Migration from v4
v5 is a major version upgrade, but migration is straightforward. The extension automatically migrates v4 configuration to the new format. Authentication tokens are preserved. The only breaking change is the removal of the legacy safeguard.apiEndpoint setting, which is now configured through the authentication flow.
Users on v4 will see an update notification in their IDE. The update process takes under a minute, including the initial database sync.
How Safeguard.sh Helps
The IDE Extension v5 is part of Safeguard's broader strategy to embed security into every stage of the development lifecycle. By providing vulnerability data, SBOM generation, and policy evaluation directly in the editor, Safeguard eliminates the delay between writing code and understanding its security implications.
Combined with the Safeguard CLI for CI/CD, the web dashboard for organizational visibility, and the MCP server for AI-assisted workflows, the IDE extension ensures that security feedback reaches developers through whatever interface they prefer. The result is faster remediation, fewer policy failures in CI, and a development culture where security is a continuous consideration rather than a gate at the end of the pipeline.