Empower developers to catch security, license, and policy risks early directly withinVisual Studio (VS) Code. The Sonatype extension for VS Code brings trueshift leftsecurity to your development workflow by surfacing issues in your open sourcedependenciesas you code.
With the Sonatype extension for VS Code, developers can assess open source components in real time, make informed decisions about dependency upgrades and align with organizational policy without switching tools or breaking their flow. Paired with Sonatype Lifecycle, the extension delivers policy-aware component analysis within development. Developers get instant feedback onsecurity vulnerabilities, license issues, and policy violations, enabling proactive remediation before code is committed or deployed.
Instantly flags license, security, and policy violations in manifest files like pom.xml, package.json, and requirements.txt, all within VS Code.
Broad Ecosystem Support
Supports multiple programming languages and ecosystems, including Java, JavaScript, Python, Go, Rust, PHP, and C.
Custom Project-Level Configuration
Tailor scanning behavior per project using a config file. Define which Sonatype Lifecycle application to target, set dependency scope, and specify supported ecosystems.
Parallelized Analysis with Performance Tuning
Optimize performance with configurable scan parallelization, speed up analysis or reduce resource usage depending on your environment.
Integrated Across Developer Environments
Use the extension in local VS Code installs, GitHub Codespaces, VS Code Dev Containers, or WSL2, ensuring consistent security across diverse development setups.
Component Details and Version Insights
Click any flagged component to explore detailed vulnerability data and remediation guidance. Use filters and version history to find the safest upgrade path.
What languages and package managers are supported?
Supported languages include Java (Maven, Gradle), JavaScript (npm, Yarn, pnpm), Python (pip, Poetry), Go, Rust (Cargo), PHP (Composer), and C (Conan). The extension identifies ecosystems by detecting standard manifest files in your project.
What do I need to use the extension?
You will need access to a Sonatype Lifecycle instance. Configuration requires your Sonatype IQ Server URL and credentials.
Can I configure how the analysis runs?
Yes. You can manage settings via the VS Code extension panel or override configurations per project by editing the .sonatype-config.yaml file.
.png?width=1968&height=2893&name=Header-LR-Gray-(RIGHT).png)
.png?width=1467&height=2893&name=Header-LR-Gray-(LEFT).png)
