SecureLens

SecureLens is a VS Code security assistant that helps developers catch vulnerabilities before they reach production.

Comment

🛡️🔍 SecureLens helps developers catch and fix security vulnerabilities in code before it ships to production.

How to Run

  1. Install SecureLens from the VS Code Marketplace https://marketplace.visualstudio.com/items?itemName=Danton-Soares.securelens

Or search “SecureLens” directly in the VS Code Extensions tab.

  1. Ensure you have Python 3.10+ installed.

  2. Install the required security engine (Semgrep) in the VS Code terminal:

pip install semgrep
  1. Verify the installation:
semgrep --version
  1. Open a project in VS Code and run:
  • SecureLens: Scan Current File
  • SecureLens: Scan Workspace

You can access these commands through the SecureLens sidebar or the Command Palette (Ctrl + Shift + P).

SecureLens will analyze your code locally and display findings directly in the editor with explanations and suggested fixes.

💡 Tip

SecureLens runs entirely locally, meaning your source code never leaves your machine.

Inspiration

AI coding assistants have completely transformed how developers write software. Today, developers can generate large amounts of code in seconds using tools like ChatGPT, Copilot, and other AI assistants.

But with that speed comes a serious problem: security vulnerabilities are increasingly being introduced into codebases without developers realizing it.

Recent studies suggest that over 60% of AI-generated code contains some form of security vulnerability, ranging from hardcoded secrets to SQL injection risks and unsafe APIs. Developers are moving faster than ever, but security knowledge often doesn't scale at the same speed.

I built SecureLens because I wanted a tool that helps developers catch and understand security issues before they ever reach production.

Instead of slowing developers down, SecureLens acts like a security mentor inside the editor, helping developers ship secure code while they work.

What it does

SecureLens is a VS Code security assistant that detects vulnerabilities directly inside the developer workflow and helps developers fix them immediately.

The extension combines multiple detection techniques to identify common security risks such as:

  • Hardcoded secrets
  • SQL injection vulnerabilities
  • Cross-site scripting (XSS)
  • Command injection
  • Unsafe use of eval
  • Secret exposure and other common security issues

SecureLens integrates directly into VS Code and provides:

  • Inline editor warnings and squiggles
  • A dedicated SecureLens activity panel with Actions, Findings, and Suggestions
  • Clickable findings that jump to the exact location in the code
  • Human-readable explanations of why a vulnerability is dangerous
  • Step-by-step remediation guidance
  • Automated quick fixes for certain vulnerabilities
  • Support for custom security rules defined by the developer

The goal is simple: help developers understand, fix, and prevent vulnerabilities without interrupting their workflow.

How I built it

SecureLens is implemented as a VS Code extension written in TypeScript.

The system combines several components:

Static Analysis Layer

  • Semgrep CLI for advanced static analysis
  • Built-in regex-based detection rules
  • Support for user-defined custom regex security rules

Editor Integration

  • VS Code Diagnostics API for inline vulnerability detection
  • Activity Bar interface for findings, actions, and suggestions
  • Command palette integration for scanning files or entire workspaces

Automated Remediation

  • Quick fixes for certain vulnerabilities, such as:

    • Replacing hardcoded secrets with environment variables
    • Converting unsafe innerHTML usage to safer alternatives

  • Automatic creation of .env files when secrets are detected

  • Automatic .gitignore updates to prevent secrets from being committed

SecureLens runs entirely locally, meaning no source code leaves the developer’s machine, preserving privacy and enabling fast scans.

Challenges I ran into

One of the biggest challenges was combining multiple detection systems without overwhelming developers.

Because SecureLens uses both Semgrep and regex-based rules, it was initially easy for duplicate or overlapping findings to appear. I had to build logic to deduplicate results while preserving useful context.

Another challenge was developer experience. Security tools often produce too many warnings, which can cause developers to ignore them entirely. I focused heavily on making the tool feel helpful instead of noisy by adding explanations, actionable guidance, and quick fixes.

Implementing automated fixes also introduced edge cases such as:

  • .env file generation
  • variable naming collisions
  • .gitignore updates
  • ensuring fixes didn't break the codebase

Balancing automation, safety, and usability was one of the hardest parts of building SecureLens.

Accomplishments that I'm proud of

I'm proud that SecureLens goes beyond traditional static analysis tools.

Instead of simply reporting vulnerabilities, it helps developers understand and fix them immediately.

Some highlights include:

  • Building a hybrid detection engine combining Semgrep, regex rules, and customizable checks
  • Creating a fully integrated VS Code security dashboard
  • Implementing automated quick fixes for common vulnerabilities
  • Supporting custom rule definitions for teams and projects
  • Designing the extension to be local-first, protecting developer privacy
  • Building a tool that developers can realistically integrate into their daily workflow

Most importantly, I created something that helps developers ship safer code without slowing them down.

What I learned

Building SecureLens taught me that security tools are most effective when they focus on developer experience.

Developers don't ignore security because they don't care — they ignore it because tools often interrupt their workflow or require deep security expertise.

I also learned that combining automation with education is incredibly powerful. When developers understand why something is dangerous and how to fix it, they become more confident writing secure code in the future.

Finally, this project reinforced the importance of privacy-first tooling. By running all scans locally, SecureLens keeps developer code private while still providing powerful security insights.

What's next for SecureLens

SecureLens is just the beginning.

The next steps I want to explore include:

  • AI-powered explanations and remediation suggestions
  • An AI security assistant chat to help developers understand vulnerabilities in context
  • A feature that explains the security architecture of an entire codebase
  • Integration with additional static analysis tools like Sonar
  • More automated fixes and security rule coverage
  • Publishing SecureLens to the VS Code Marketplace

My long-term vision is to make SecureLens a trusted security companion for developers, especially in a world where AI-generated code is becoming the norm.

As developers move faster with AI, tools like SecureLens can help ensure security doesn't get left behind.

Built With

Share this project:

Updates