By integrating the Contrast Security Visual Studio Code extension into your IDE you are able to quickly map vulnerabilities to your source code directly at the file and line number by importing your IAST or SAST vulnerabilities from the latest sessions or scans getting actionable information on each of the vulnerabilities found.
-
Comprehensive vulnerability analysis
The extension allows you to connect your IDE to the Contrast Platform and analyse any of your IAST Applications or SAST projects directly within the IDE. See vulnerability summaries right at the file and line number, highlighting the risk and providing a short summary of remediation you can take or follow the link back to the Contrast platform. -
** Broad language and framework support**
Contrast Security covers commonly supported languages.
- Clone the VS Code plugin repository
- Open the cloned project directory in VSCode
- Install dependencies using npm in the terminal by running
npm install - Build the Project by running
npm run buildin the terminal - Package the plugin using vsce (Visual Studio Code Extension Manager). If not installed, first install vsce by running the command
npm install -g @vscode/vsce - Run the build command
vsce packageto generate the.vsixfile
- Open VS Code.
- Go to the Extensions view
(Ctrl+Shift+X). - Search for Contrast and Click on it to view more details.
- Now Click on the install button on the extension’s page.
- Restart the VSCode if required after installing the Contrast extension. (Optional)
- Launch Visual Studio Code on your system.
- Go to the Extensions view
(Ctrl+Shift+X). - Click the ellipsis
(⋮)in the top-right corner and select Install fromVSIX… - Navigate to the location of the
.vsixfile and select it.
| Issue | ✅ Solution |
|---|---|
| Vulnerabilities are not mapping to the current file | - Ensure the file name matches exactly - Confirm the full file path is correct |
| Why are vulnerabilities listed under the "Unmapped Vulnerabilities" section in the vulnerability report? | Vulnerabilities appear in the Unmapped Vulnerabilities section when essential metadata is missing—specifically: • File path • Line number These details are usually shown in the vulnerability’s Overview section. Make sure you are reviewing the Beview and using the Latest report. Without this metadata, Contrast cannot map the issue to a specific file and line in your code, so they’re grouped here for visibility. |
| Why is there an interlock mechanism implemented in the Contrast plugin? | The interlock mechanism in the Contrast plugin is designed to maintain data consistency and avoid conflicts when working with vulnerabilities in your IDE. 🔄 How it works: - A user can fetch vulnerabilities from only one source type at a time (either Assess or Scan). - If switching source types (e.g., from Assess to Scan), the user is prompted to clear the existing cache before fetching vulnerabilities from the new source type. This ensures that the plugin doesn’t mix data between the two source types, avoiding incorrect mappings or duplicated entries. 🧩 Flexibility across IDEs: Users can still work with different source types for different applications across multiple IDEs without restriction. |