LSP server + VS Code extension
Vulkro ships a Language Server Protocol
server, exposed as the vulkro lsp subcommand of the main binary, and a
thin VS Code extension that consumes it. The same .vsix loads in Cursor
and Windsurf (both VS Code forks).
The LSP surfaces Vulkro findings inside your editor as diagnostics, with hover-to-explain and a read-only suppress code action.
Read-only by design
The editor integration never rewrites your code. The only edit it can make
is inserting a // vulkro:disable next-line <RULE> suppression comment, and
only when you ask for it. There are no logic-rewriting "auto-fixes": no CORS
edits, no debug-flag flips, no secret-to-env rewrites. Detection is the
product; the editor is a read-only lens on it.
Install
The extension spawns the vulkro binary you already have, so install the
scanner first (see the install guide). The
extension itself is distributed as a .vsix; build it from
editor-extensions/vscode with npm install && npm run package, then
install the .vsix through your editor.
If the binary cannot be found when the extension starts, it offers an
Install action (also the Vulkro: Install or update the scanner binary
command) that downloads the right release for your platform, verifies its
.sha256, and installs it into ~/.vulkro/bin. That download runs only when
you trigger it and respects VULKRO_OFFLINE=1.
What you get
- Diagnostics on save. Open any Python, JavaScript, TypeScript,
JSX/TSX, Go, Ruby, Java, C#, or PHP file inside a project with a
.git,package.json,pyproject.toml,go.mod, orvulkro.tomlroot marker. Save the file. Vulkro re-scans the project root and surfaces findings under the cursor. - Salesforce projects additionally start a second
vulkro-sf lspserver for Apex, Aura, Visualforce, Flow, and metadata. See the Salesforce extension page for the SFDX specifics. - Hover to explain. Hovering a diagnostic surfaces the rule id, severity, message, and remediation in a Markdown popup.
- Suppress + Explain code actions. The lightbulb on any Vulkro
diagnostic offers Suppress (insert the
vulkro:disablecomment) and Explain (render the rule's long-form explainer). - Findings panel + status bar. A dedicated Vulkro view in the activity bar groups findings by severity; a status bar item shows the live count.
- Severity filter.
vulkro.severityThresholddrops findings below the chosen level before they reach the editor.
Settings
| Setting | Default | Purpose |
|---|---|---|
vulkro.path | vulkro | Path to the vulkro binary, or the bare name if it is on PATH. The extension spawns <path> lsp. |
vulkro.severityThreshold | medium | Minimum severity to surface (critical, high, medium, low, info). |
vulkro.rulePack | default | Audit-profile bias passed to the server. |
vulkro.lsp.debounceMs | 300 | Debounce window (ms) for re-scans, clamped to [50, 5000]. Passed as VULKRO_LSP_DEBOUNCE_MS. |
vulkro.trace.server | off | Trace LSP traffic in the Vulkro output channel. |
Because the server maps Critical and High to the same editor severity
(Error), the critical and high thresholds behave identically in the
editor.
How the LSP talks to the scanner
vulkro lsp runs the scan in-process: no subprocess, no JSON-over-pipe. It
gets the same detection results as the CLI: the full extractor set, the
auth model, reachability gating, taint analysis, and cross-service
correlation. It inherits the CLI's high-confidence default, so the findings
the editor surfaces are the same ones CI would.
Performance
Today the LSP re-scans the whole project root on every save. For a 5k file repo that is typically 1 to 3 seconds; for a 50k file monorepo it can be 10 to 30 seconds. Incremental scanning makes subsequent saves much cheaper; the first save after opening the editor is the expensive one.
For a faster loop, run vulkro scan . --watch (see
CLI: scan) in a side terminal.
Suppressing network egress from inside the editor
To suppress all network egress from the binary the editor spawns, set:
// settings.json
"terminal.integrated.env.osx": {
"VULKRO_NO_UPDATE_CHECK": "1",
"VULKRO_OFFLINE": "1"
}
(Adapt osx to linux / windows as needed.)
What this isn't (yet)
- No standalone JetBrains plugin. The server works with any LSP-aware
editor in principle (Neovim's
nvim-lspconfig, Helix, Zed). VS Code (and its forks) is the only one with a packaged extension today. - No logic-rewriting quick-fixes. Suppression is the only edit, by design.
- No real-time as-you-type diagnostics. Triggered on save, not on every
keystroke (a
didChangereads from disk, not the unsaved buffer).
Related
vulkro scan: the CLI front door that produces the same findings the LSP surfaces.- Salesforce extension page: the
SFDX side, driven by the
vulkro-sfserver.