A VS Code extension + git-hook enforcement + backend orchestrator that detects insecure code, shows urgency/highlights, and locks the IDE when severity is Critical/High until a verified fix is applied.
cd /Users/youseph.e/Desktop/IBM/sentry/server
npm install # Already done
npm run devServer runs at http://localhost:3333
# Health check
curl http://localhost:3333/health
# Run the test script
node scripts/test-scan.js- Open VS Code
- File β Open Folder β Select
/Users/youseph.e/Desktop/IBM/sentry/extension - Press
F5to launch Extension Development Host - In the new VS Code window, open the demo file:
/Users/youseph.e/Desktop/IBM/sentry/demo/vulnerable.js - Save the file to trigger a scan
- Observe:
- π΄ Red highlighting on critical vulnerability lines
- π Orange highlighting on high severity lines
- π‘ Yellow highlighting on medium severity lines
- CodeLens "Fix with SENTRY" buttons above issues
- Problems panel with all findings
- Lock screen overlay for Critical/High findings
cd /path/to/any-git-repo
/Users/youseph.e/Desktop/IBM/sentry/hooks/install.shNow commits with Critical/High issues will be blocked!
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VS Code IDE β
β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββββββ β
β β CodeLens β β Decorations β β Lock Screen Overlay β β
β β Provider β β Provider β β (Webview) β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ βββββββββββββ¬ββββββββββββββ β
β β β β β
β ββββββββββββββββββ΄βββββββββββββββββββββββ β
β β β
β βββββββ΄ββββββ β
β β Scanner ββββ Tier 0 (Local Regex) β
β βββββββ¬ββββββ β
β β β
ββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ
β POST /scan
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SENTRY Backend β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Orchestrator β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββββββ β β
β β β Tier 0 β β Tier 1 β β Tier 2 β β β
β β β Regex ββ β AI Scan ββ β AI Scan β β β
β β β (Always) β β (On Save) β β (On Commit) β β β
β β βββββββββββββββ ββββββββ¬βββββββ βββββββββββββββββββ β β
β β β β β
β β βββββββ΄ββββββ β β
β β β AI Providerβ βββ IBM watsonx/Bob β β
β β βββββββββββββ (stubbed for demo) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββ β
β β Cache β β Docling Chunker β β Patch Generator β β
β β (5min TTL) β β (Code Parser) β β (Fix Suggester) β β
β βββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β²
β POST /scan (Tier 2)
ββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ
β Git Hooks β
β βββββββββββββββ βββββββββββββββ β
β β pre-commit β β pre-push β β Blocks if CRITICAL/HIGH β
β β (required) β β (optional) β β
β βββββββββββββββ βββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Tier | When | What | AI Call |
|---|---|---|---|
| Tier 0 | Always | Local regex patterns (secrets, eval, innerHTML, SQL concat, shell calls) | No |
| Tier 1 | On file save | AI scan when Tier 0 flags OR file in sensitive path OR risky sink touched | Yes (if needed) |
| Tier 2 | On git commit/push | Full AI scan of staged diff | Yes (always) |
| Risk Type | Severity | Example |
|---|---|---|
HARDCODED_SECRET |
CRITICAL | password = "secret123" |
SQL_INJECTION |
CRITICAL | "SELECT * FROM users WHERE id=" + userId |
COMMAND_INJECTION |
CRITICAL | exec("ls " + userInput) |
CODE_INJECTION |
CRITICAL | eval("(" + data + ")") |
XSS_VULNERABILITY |
HIGH | element.innerHTML = userInput |
PATH_TRAVERSAL |
HIGH | readFile("/uploads/" + filename) |
MASS_ASSIGNMENT |
HIGH | Object.assign(user, req.body) |
INSECURE_RANDOMNESS |
MEDIUM | Math.random() for tokens |
WEAK_HASH |
MEDIUM | createHash('md5') |
Scan files for vulnerabilities.
Request:
{
"files": [{
"filePath": "src/auth.ts",
"diff": "...",
"context": "...",
"metadata": {
"language": "typescript",
"tier": 1,
"timestamp": 1706726400000
}
}]
}Response:
{
"findings": [{
"id": "uuid",
"risk_type": "SQL_INJECTION",
"severity": "CRITICAL",
"line_ranges": [{"start": 42, "end": 42}],
"why_it_matters": "...",
"suggested_patch": "...",
"verified": false,
"source": "tier0"
}],
"cached": false,
"processingTime": 127,
"tier": 1
}Generate a fix for a finding.
Health check endpoint.
| Setting | Default | Description |
|---|---|---|
sentry.serverUrl |
http://localhost:3333 |
Backend server URL |
sentry.debounceMs |
1500 |
Debounce delay for save scans |
sentry.cooldownMs |
30000 |
Minimum time between scans of same file |
sentry.enableLock |
true |
Enable IDE lock on Critical/High findings |
| Variable | Default | Description |
|---|---|---|
SENTRY_SERVER_URL |
http://localhost:3333 |
Backend URL (for git hooks) |
AI_ENABLED |
false |
Enable real AI calls |
WATSONX_API_KEY |
- | IBM watsonx API key |
- Show the vulnerable file - Point out the intentional security issues
- Save the file - Watch SENTRY scan and highlight issues
- Observe the lock screen - IDE is locked due to critical findings
- Click "Fix with SENTRY" - Show AI-suggested fix
- Apply the fix - Watch auto-rescan and unlock
- Try to commit - Show git hook blocking the commit
- Fix remaining issues - Commit succeeds
MIT