LSP server + VSCode extension
Vulkro ships a Language Server Protocol
server (vulkro-lsp) and a thin VSCode extension that consumes it.
The LSP surfaces vulkro findings inside your editor as diagnostics, with hover-to-explain and quick-fix code actions for the handful of categories Vulkro can patch automatically.
Install
The vulkro-lsp binary is installed alongside vulkro by the install
script. The VSCode extension is distributed separately - contact the
Vulkro team for access.
What you get
-
Diagnostics on save. Open any Python / JS / TS / Go / Ruby / Java / Kotlin / C# / PHP file inside a project with a
.git,Cargo.toml,package.json, orpyproject.tomlroot marker. Save the file. Vulkro re-scans the project root and surfaces findings under the cursor. -
Hover to explain. Hovering a diagnostic surfaces the
confidence_reason,remediation, andcode_snippetin a Markdown popup. -
Quick-fix code actions for three categories:
cors-wildcard(replace*with allow-list)debug-mode-on(flipDEBUG=True/app.debug = Trueoff)hardcoded-secret(move literal intoprocess.env/os.environlookup)
Other categories are listed without an automated fix.
Settings
| Setting | Default | Purpose |
|---|---|---|
vulkro.lspPath | vulkro-lsp | Override the binary path (e.g. for a vendored install). |
How the LSP talks to the scanner
The LSP runs the scan in-process - no subprocess, no JSON-over-pipe.
That means the LSP gets the same detection results as the CLI, including:
- The full extractor set (Python / Node / TS / Go / Ruby / Java / Kotlin / C# / PHP).
- The auth model (AuthTier, AuthRequirement, TenantScoping).
- Reachability gating, taint analysis, cross-service correlation, the lot.
It also inherits the CLI's --min-confidence high default, so the
findings stream the editor surfaces is the same one CI would surface.
Performance
Today the LSP re-scans the whole project root on every save. For a 5k-file repo that's typically 1-3 seconds; for a 50k-file monorepo it can be 10-30 seconds. Incremental scanning is wired in the engine and benefits subsequent saves dramatically; the first save after opening the editor is the expensive one.
If you want a faster feedback loop, run vulkro scan . --watch
(documented in CLI -> scan) in a side terminal.
A LSP-native watch mode is on the roadmap.
Disabling the background update check from inside the editor
The LSP server does not trigger the
vulkro-cli update-check thread (those are separate processes).
But if you want to suppress all network egress from this binary,
set:
// settings.json
"terminal.integrated.env.osx": {
"VULKRO_NO_UPDATE_CHECK": "1",
"VULKRO_OFFLINE": "1"
}
(Adapt osx -> linux / windows as needed.)
What this isn't (yet)
- No standalone JetBrains plugin. The LSP works with any
LSP-aware editor in principle (Neovim's
nvim-lspconfig, Helix, Zed). VSCode is the only one with a packaged extension today. - No project-wide quick-fixes. Code actions are per-finding; a "fix all CORS wildcards in this repo" command is not wired.
- No real-time as-you-type diagnostics. Triggered on save, not on every keystroke.
Related
vulkro scan- the CLI front-door that produces the same findings the LSP surfaces.