VS Code Extension
The primus-security extension brings Primus Security into VS Code — real-time findings, inline squiggles, and one-click fixes without leaving your editor.
The extension is published on the VS Code Marketplace. Install it by searching Primus Security in the Extensions panel, or run:
code --install-extension PrimusSoftwareCorporation.primus-security
The extension does not generate HTML, PDF, CSV, or SARIF reports. Use the primus-scan CLI or PrimusSaaS.Security.Reporting package for full reports.
Prerequisites
1. VS Code 1.109.0 or later
code --version # must be 1.109 or higher
2. .NET SDK 9.0 or later — required by the primus-scan CLI
dotnet --version # must be 9.x or 10.x
3. primus-scan CLI on your PATH
Once published to NuGet:
dotnet tool install -g PrimusSaaS.Security.Cli
primus-scan --version # should print 2.4.9
If not yet on NuGet, build from source:
git clone https://github.com/primussoft/Primus-SaaS-Framework.git
cd Primus-SaaS-Framework
dotnet build tools/PrimusSecurityScanner/PrimusSecurityScanner.csproj -c Release
# Add tools/PrimusSecurityScanner/bin/Release/net10.0/ to your PATH
# or set primusSecurity.cliPath to the full path in VS Code settings
4. A .NET project that builds — the scanner needs Roslyn compilation context. Run dotnet build in your project before scanning; a project with unresolved dependencies produces 0 SAST findings.
5. Platform — Windows, macOS, and Linux are all supported. The CLI is a .NET global tool; ensure your .NET SDK matches your OS architecture (arm64 on Apple Silicon).
Install
Search Primus Security in the VS Code Extensions panel, or:
code --install-extension PrimusSoftwareCorporation.primus-security
To install manually from a .vsix file:
code --install-extension primus-security-2.4.9.vsix
Quick Start
- Open a
.NETproject folder in VS Code Cmd+Shift+P→ Primus Security: Scan Workspace- Findings appear in the Primus Security panel in the sidebar
- Click any finding to jump to the line
- Click the wrench icon to apply the one-click fix
Features
Real-time findings panel
Grouped by severity (Critical → Low) in the Explorer sidebar. Click any finding to navigate to the vulnerable line with exact file:line accuracy.
Inline diagnostics
Red/yellow squiggles on vulnerable lines. Hover for the message. Full list in the Problems panel (Cmd+Shift+M).
Inline severity decorations
🔴 Critical · 🟠 High · 🟡 Medium · 🔵 Low labels appear inline next to each vulnerable line.
One-click patch apply
Findings with a LocalRemediationEngine patch show a wrench icon. Click it to apply the before/after diff as a WorkspaceEdit — changes are undoable.
Rule explain webview
Cmd+Shift+P → Primus Security: Explain Rule (or right-click in editor) opens a panel showing:
- What the vulnerability is
- How to fix it (step-by-step from the rule catalog)
- Vulnerable code example
- Safe code example
- Patch confidence score
Scan on save
C# files are scanned 1 second after saving (debounced). Configurable.
Status bar
Shows live Critical/High counts: 🔴 3C 12H with colour-coded background.
Commands
| Command | Description |
|---|---|
Primus Security: Scan Workspace | Scan the open workspace folder |
Primus Security: Scan Current File | Scan only the active .cs file |
Primus Security: Apply Fix | Apply patch for a selected finding |
Primus Security: Explain Rule | Open rule explanation webview |
Primus Security: Clear Findings | Clear all findings from panel and squiggles |
Primus Security: Open Settings | Jump to extension settings |
Primus Security: Show Scan Summary | Open a panel showing all 3 ratings, gate violations, severity breakdown, patch coverage, and duplication stats |
Primus Security: Generate HTML Report | Generate the full 11-section HTML report via CLI and open in browser |
Primus Security: Generate SARIF | Generate SARIF output via CLI and reveal the file |
Settings
| Setting | Default | Description |
|---|---|---|
primusSecurity.cliPath | primus-scan | Full path to CLI binary if not on PATH |
primusSecurity.scanOnSave | true | Auto-scan C# files on save (1s debounce) |
primusSecurity.scanOnOpen | false | Auto-scan C# files when opened |
primusSecurity.scanTimeoutSeconds | 120 | Seconds before an in-progress scan is cancelled |
primusSecurity.qualityGate.maxCritical | 0 | Passed as --max-critical to CLI |
primusSecurity.qualityGate.maxHigh | 0 | Passed as --max-high to CLI |
primusSecurity.showInlineDecorations | true | Show severity labels in editor gutter |
primusSecurity.suppressionsFile | .primus-suppressions.json | Passed as --suppressions to CLI |
primusSecurity.scan.disableSast | false | Skip Roslyn SAST (--no-sast) |
primusSecurity.scan.disableSecrets | false | Skip secret detection (--no-secrets) |
primusSecurity.scan.disableDeps | false | Skip dependency CVE scanning (--no-deps) |
primusSecurity.scan.enableDuplication | false | Enable code duplication detection (--duplication) |
primusSecurity.baseline.file | "" | Baseline JSON file path (--baseline) |
primusSecurity.baseline.save | "" | Save current scan as baseline (--save-baseline) |
Troubleshooting
"primus-scan CLI not found"
Run dotnet tool install -g PrimusSaaS.Security.Cli and restart VS Code. If the tool installed to a non-standard path, set primusSecurity.cliPath to the full path.
Scan times out on large solutions
Increase primusSecurity.scanTimeoutSeconds in settings (default 120s).
No findings on save
Ensure primusSecurity.scanOnSave is true and the file is a .cs file inside a .csproj project.
Findings empty after scan
The scanner requires compilation context — it scans the parent directory of any .cs file, not just the file itself. Ensure the project builds (dotnet build) before scanning.