Skip to main content
Version: Current

VS Code Extension

The primus-security extension brings Primus Security into VS Code — real-time findings, inline squiggles, and one-click fixes without leaving your editor.

Marketplace

The extension is published on the VS Code Marketplace. Install it by searching Primus Security in the Extensions panel, or run:

code --install-extension PrimusSoftwareCorporation.primus-security
No report generation

The extension does not generate HTML, PDF, CSV, or SARIF reports. Use the primus-scan CLI or PrimusSaaS.Security.Reporting package for full reports.


Prerequisites

1. VS Code 1.109.0 or later

code --version   # must be 1.109 or higher

2. .NET SDK 9.0 or later — required by the primus-scan CLI

dotnet --version   # must be 9.x or 10.x

3. primus-scan CLI on your PATH

Once published to NuGet:

dotnet tool install -g PrimusSaaS.Security.Cli
primus-scan --version # should print 2.4.9

If not yet on NuGet, build from source:

git clone https://github.com/primussoft/Primus-SaaS-Framework.git
cd Primus-SaaS-Framework
dotnet build tools/PrimusSecurityScanner/PrimusSecurityScanner.csproj -c Release
# Add tools/PrimusSecurityScanner/bin/Release/net10.0/ to your PATH
# or set primusSecurity.cliPath to the full path in VS Code settings

4. A .NET project that builds — the scanner needs Roslyn compilation context. Run dotnet build in your project before scanning; a project with unresolved dependencies produces 0 SAST findings.

5. Platform — Windows, macOS, and Linux are all supported. The CLI is a .NET global tool; ensure your .NET SDK matches your OS architecture (arm64 on Apple Silicon).


Install

Search Primus Security in the VS Code Extensions panel, or:

code --install-extension PrimusSoftwareCorporation.primus-security

To install manually from a .vsix file:

code --install-extension primus-security-2.4.9.vsix

Quick Start

  1. Open a .NET project folder in VS Code
  2. Cmd+Shift+PPrimus Security: Scan Workspace
  3. Findings appear in the Primus Security panel in the sidebar
  4. Click any finding to jump to the line
  5. Click the wrench icon to apply the one-click fix

Features

Real-time findings panel

Grouped by severity (Critical → Low) in the Explorer sidebar. Click any finding to navigate to the vulnerable line with exact file:line accuracy.

Inline diagnostics

Red/yellow squiggles on vulnerable lines. Hover for the message. Full list in the Problems panel (Cmd+Shift+M).

Inline severity decorations

🔴 Critical · 🟠 High · 🟡 Medium · 🔵 Low labels appear inline next to each vulnerable line.

One-click patch apply

Findings with a LocalRemediationEngine patch show a wrench icon. Click it to apply the before/after diff as a WorkspaceEdit — changes are undoable.

Rule explain webview

Cmd+Shift+PPrimus Security: Explain Rule (or right-click in editor) opens a panel showing:

  • What the vulnerability is
  • How to fix it (step-by-step from the rule catalog)
  • Vulnerable code example
  • Safe code example
  • Patch confidence score

Scan on save

C# files are scanned 1 second after saving (debounced). Configurable.

Status bar

Shows live Critical/High counts: 🔴 3C 12H with colour-coded background.


Commands

CommandDescription
Primus Security: Scan WorkspaceScan the open workspace folder
Primus Security: Scan Current FileScan only the active .cs file
Primus Security: Apply FixApply patch for a selected finding
Primus Security: Explain RuleOpen rule explanation webview
Primus Security: Clear FindingsClear all findings from panel and squiggles
Primus Security: Open SettingsJump to extension settings
Primus Security: Show Scan SummaryOpen a panel showing all 3 ratings, gate violations, severity breakdown, patch coverage, and duplication stats
Primus Security: Generate HTML ReportGenerate the full 11-section HTML report via CLI and open in browser
Primus Security: Generate SARIFGenerate SARIF output via CLI and reveal the file

Settings

SettingDefaultDescription
primusSecurity.cliPathprimus-scanFull path to CLI binary if not on PATH
primusSecurity.scanOnSavetrueAuto-scan C# files on save (1s debounce)
primusSecurity.scanOnOpenfalseAuto-scan C# files when opened
primusSecurity.scanTimeoutSeconds120Seconds before an in-progress scan is cancelled
primusSecurity.qualityGate.maxCritical0Passed as --max-critical to CLI
primusSecurity.qualityGate.maxHigh0Passed as --max-high to CLI
primusSecurity.showInlineDecorationstrueShow severity labels in editor gutter
primusSecurity.suppressionsFile.primus-suppressions.jsonPassed as --suppressions to CLI
primusSecurity.scan.disableSastfalseSkip Roslyn SAST (--no-sast)
primusSecurity.scan.disableSecretsfalseSkip secret detection (--no-secrets)
primusSecurity.scan.disableDepsfalseSkip dependency CVE scanning (--no-deps)
primusSecurity.scan.enableDuplicationfalseEnable code duplication detection (--duplication)
primusSecurity.baseline.file""Baseline JSON file path (--baseline)
primusSecurity.baseline.save""Save current scan as baseline (--save-baseline)

Troubleshooting

"primus-scan CLI not found" Run dotnet tool install -g PrimusSaaS.Security.Cli and restart VS Code. If the tool installed to a non-standard path, set primusSecurity.cliPath to the full path.

Scan times out on large solutions Increase primusSecurity.scanTimeoutSeconds in settings (default 120s).

No findings on save Ensure primusSecurity.scanOnSave is true and the file is a .cs file inside a .csproj project.

Findings empty after scan The scanner requires compilation context — it scans the parent directory of any .cs file, not just the file itself. Ensure the project builds (dotnet build) before scanning.