Security Guidance

Security Guidance is a real-time security co-pilot that reads your edits as you type and flags patterns like command injection, XSS, SQL injection, unsafe eval, insecure deserialization, and exposed secrets before changes are saved. It watches file edits in the editor, highlights the exact snippet that looks risky, and explains why the code is dangerous so you can decide how to fix it right away.

The extension maps common risky APIs and patterns to concrete checks: unescaped template output, shell exec with user input, concatenated SQL strings, usage of eval/new Function, weak crypto choices, and unsafe third-party calls. When it finds an issue it records the file, line, and a short remediation — escape here, parameterize that, use a safer API — and it links to the GitHub repo for deeper rules and examples.

It integrates with Claude Code so the assistant gets a heads-up when a proposed change would introduce a problem, and it can run on typing or on save. The tool also provides a quick scan mode for a whole file or project, and it can be tuned to ignore certain patterns or to require stricter checks for sensitive directories.

For example, while editing an Express route that renders user input into HTML, the plugin will immediately flag unescaped output and suggest an escaping function — you fix it in-place without running a separate linter or opening a security scanner, saving time and avoiding tool switching during the normal edit-review cycle.