Skip to main content
Skip table of contents

Mend for Visual Studio Code

Overview

Mend for Visual Studio Code provides developers with immediate information about security findings and remediation suggestions directly in the IDE, before the code is committed into an SCM.

As a result, securing applications becomes a lot simpler, as developers can perform crucial actions to triage security findings without navigating away from the IDE.

Getting Started

Prerequisites

  • Supported IDE: Visual Studio Code (VS Code)

  • Authentication: Named user authentication is required. Users can authenticate either from the plugin settings or during the initial setup screen.

  • Mend AI-Native AppSec Platform Account: An active Mend account is required for authentication and scan result retrieval.

  • Onboarded Repository: The repository you wish to scan needs to have a corresponding project in the Mend AI-Native AppSec Platform.

Installation Steps

Install the Plugin

Download the Mend for Visual Studio Code App from the VS Code Marketplace and install it.

image-20251118-152242.png

Once installed, the Mend extension will be added to the left panel of your VS Code.

image-20251117-151859.png

Authenticate

On first launch, the plugin prompts for authentication.

image-20251118-152501.png

  1. Environment - Select the environment in which your Mend organization is hosted:

image-20251117-151957.png

  1. User Email - fill in the user email used to log into the Mend AI-Native AppSec Platform.

  2. User Key - can be obtained from your profile in the Mend AI-Native AppSec Platform UI.

    image-20251117-232157.png

If no user key exists, create one by clicking the Create User Key (image-20251113-162512.png) button on the right.

  1. Authenticate

image-20251117-152230.png

You will be notified when the authentication is successful via a pop-up message at the bottom-right:

image-20251117-152327.png

  1. Organization - Select the desired organization from the list of organizations the specified user is a member of.

image-20251117-152302.png

Note: You can authenticate anytime via the plugin settings.

Permissions: Grant the necessary permissions for the plugin to access your codebase and communicate with the Mend AI Native AppSec Platform.

Triggering a Scan

  • Manual Scan: Users can trigger a scan at any time via the plugin UI.

  • Differential Results: The scan analyzes only the changes introduced in the current feature branch compared to the main branch.

  • No CLI Required: The plugin integrates the Mend CLI in the background; users do not need to install or interact with the CLI directly.

Scan Workflow

  1. Initiate Scan: Click the “Scan Now” button in the plugin panel.

    image-20251117-152906.png

  2. Authentication Check: If not already authenticated, the plugin will prompt for login.

  3. Scan Execution: The plugin runs the scan in the background and retrieves results specific to your code changes.

    image-20251117-152924.png

Viewing Findings

  • Inline Annotations: Lines of code introducing vulnerabilities are underlined in the editor.

  • Hover Details: Hovering over an underlined line displays a dialog with:

    • Vulnerability details

    • Remediation suggestions

    • CWE (Common Weakness Enumeration) description

The Finding Details Drawer

  • Clicking a finding will spawn a Finding Details drawer on the right side of the screen, similar to the one in the Mend AI-Native AppSec Platform UI. It contains the following tabs:

    • Overview

      image-20251117-225752.png

      • Description

      • Severity

      • Risk Factors

      • Data Flows

      • Endpoints

      • Remediation

    • Violations

      image-20251028-205123.png

      • Priority

      • Workflow

      • Violations

    • CWE Description

      image-20251117-225936.png

      • CWE Description

      • Violations

      • Remediation Recommendation

      • Further Reading

    • Training

      • Training

      • Videos

      • Further Reading

        image-20251117-230001.png

The Problems View

Displays the SAST findings as problems in VS Code.

image-20251117-230132.png

Each listed file can be expanded to reveal the findings that have a sink in that file:

The finding line contains a description and a link to the CWE in Mitre.

Under each finding, related information will be listed, namely, the source of every data flow that leads to that finding.

In the main window, problems will be marked with squiggly brackets. Hovering over them will spawn a pop-up window containing information such as CWE description, Severity, etc.

image-20251117-230250.png

Click the View Details button at the bottom-left to navigate to the Finding Details drawer.

Navigating Findings

  • Findings Panel: All findings are listed in a dedicated panel.

  • Click to Navigate: Clicking a finding takes you to the relevant file and line in your code.

    image-20251117-230440.png

  • Expandable Data Flow: Expand a finding to view the data flow; clicking on data flow steps navigates to the corresponding code locations.

Filtering Findings

Choosing Differential Findings vs. All Findings filters the information displayed in the Problems view accordingly:

image-20251117-230456.png

In addition, various filters are available for narrowing down the list of findings to triage.

  1. Sort By - Select either Severity or Violations. Use the arrow on the right to control the sort order, ascending vs. descending.

    image-20251117-230534.png

  2. CWE - Enter the CWE number, e.g., “22”.

    image-20251117-230615.png

  3. Severity - Select the desired severity level(s): Critical / High / Medium / Low.
    Multi-selection is supported.

image-20251117-230744.png

Rescan

Note that you can easily rescan your project by clicking the Rescan button at the top right corner of the Findings Panel.

image-20251117-230837.png

Remediation

  • Remediation Suggestions: Each finding includes a remediation suggestion.

  • One-Click Fix: Click “Remediate” in the Finding Details drawer.

    image-20251117-231113.png

    The Remediate button is also available in the Problems view while hovering over a finding and clicking the quick fix menu (lightbulb icon):

    image-20251117-231428.png

    It’s also available in the main window:

    image-20251117-231716.png

  • This will trigger the Mend Remediation (image-20251117-231746.png), which will open a refactor view showing the code diff for the suggested fix.
    Example:

    image-20251117-231828.png

  • Apply Fix: Apply or discard the remediation using the buttons located at the bottom of the VS Code UI (image-20251117-231904.png).
    Applied changes are made in your file, but remain unsaved until you review and save them.

Note: Mend for Visual Studio Code supports the remediation of multiple findings at once. To achieve this, check the findings you wish to remediate on the left-pane and click Remediate:

image-20251117-232015.png

Suppression

  • Suppress Findings: Click “Suppress” to open a dialog for selecting a suppression reason. Please note that only new findings can be suppressed.

    image-20251117-232048.png

    Available suppression reasons:
    - False positive
    - Acceptable risk
    - Temporarily ignore
    - Other

  • Suppressed List: Suppressed findings are moved to a separate list and can be unsuppressed if needed.

    image-20251117-232532.png

Known Limitations

  • Scanning mono-repos is not supported - if one repository is mapped to multiple projects, each project should be opened as a separate workspace in order to perform a scan.

  • As of November 2025, IDE scans do not affect or appear in the Mend AI Native AppSec Platform’s project-level scan history. This capability will be added in a future release.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close