1.0.0

Author: bmeck

.github/workflows/publish.yml

@@ -0,0 +1,47 @@
+on:
+  push:
+    tags:
+      - "release/[0-9]+.[0-9]+.[0-9]+"
+      - "prerelease/[0-9]+.[0-9]+.[0-9]+"
+
+name: Deploy Extension
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for DryRun and Prerelease
+        id: releaseMode
+        # perform secret check & put boolean result as an output
+        shell: bash
+        run: |
+          if [[ "${{ github.ref }}" = "refs/tags/prerelease"* ]]; then
+            echo "preRelease=true" >> $GITHUB_OUTPUT;
+          else
+            echo "preRelease=false" >> $GITHUB_OUTPUT;
+          fi
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+      - run: npm ci
+      - name: Publish to Open VSX Registry
+        uses: HaaLeo/publish-vscode-extension@v1
+        id: publishToOpenVSX
+        with:
+          dryRun: ${{ steps.releaseMode.outputs.dryRun }}
+          pat: ${{ secrets.OPEN_VSX_TOKEN }}
+          preRelease: ${{ steps.releaseMode.outputs.preRelease }}
+      - name: Publish to Visual Studio Marketplace
+        uses: HaaLeo/publish-vscode-extension@v1
+        with:
+          dryRun: ${{ steps.releaseMode.outputs.dryRun }}
+          extensionFile: ${{ steps.publishToOpenVSX.outputs.vsixPath }}
+          pat: ${{ secrets.VS_MARKETPLACE_TOKEN }}
+          preRelease: ${{ steps.releaseMode.outputs.preRelease }}
+          registryUrl: https://marketplace.visualstudio.com
+      - name: Github Release
+        uses: softprops/action-gh-release@v1
+        # if: ${{ ! steps.releaseMode.outputs.dryRun }}
+        with:
+          body: |
+            This release is also available on the [VSCode Marketplace](https://marketplace.visualstudio.com/items?itemName=SocketSecurity.vscode-socket-security) and [OpenVSX Registry](https://open-vsx.org/extension/SocketSecurity/vscode-socket-security).
+          files: ${{ steps.publishToOpenVSX.outputs.vsixPath }}
+          prerelease: ${{ steps.releaseMode.outputs.preRelease }}

.gitignore

@@ -0,0 +1,5 @@
+out/
+.DS_Store
+*.log
+node_modules/
+*.vsix

.vscode/launch.json

@@ -0,0 +1,37 @@
+// A launch configuration that compiles the extension and then opens it inside a new window
+// Use IntelliSense to learn about possible attributes.
+// Hover to view descriptions of existing attributes.
+// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+{
+	"version": "0.2.0",
+	"configurations": [{
+			"name": "Run Extension",
+			"type": "extensionHost",
+			"request": "launch",
+			"runtimeExecutable": "${execPath}",
+			"args": [
+				"--disable-extensions",
+				"--extensionDevelopmentPath=${workspaceFolder}"
+			],
+			"outFiles": [
+				"${workspaceFolder}/out/**/*.js"
+			],
+			"preLaunchTask": "npm: esbuild"
+		},
+		{
+			"name": "Run Extension Tests",
+			"type": "extensionHost",
+			"request": "launch",
+			"runtimeExecutable": "${execPath}",
+			"args": [
+				"--disable-extensions",
+				"--extensionDevelopmentPath=${workspaceFolder}",
+				"--extensionTestsPath=${workspaceFolder}/out/test"
+			],
+			"outFiles": [
+				"${workspaceFolder}/out/test/**/*.js"
+			],
+			"preLaunchTask": "npm: esbuild"
+		}
+	]
+}

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+    "todo-tree.tree.showBadges": true,
+    "todo-tree.tree.disableCompactFolders": true,
+    "cSpell.words": [
+        "esbuild",
+        "socketsecurity"
+    ]
+}

.vscode/tasks.json

@@ -0,0 +1,20 @@
+// See https://go.microsoft.com/fwlink/?LinkId=733558
+// for the documentation about the tasks.json format
+{
+	"version": "2.0.0",
+	"tasks": [
+		{
+			"type": "npm",
+			"script": "watch",
+			"problemMatcher": "$tsc-watch",
+			"isBackground": true,
+			"presentation": {
+				"reveal": "never"
+			},
+			"group": {
+				"kind": "build",
+				"isDefault": true
+			}
+		}
+	]
+}

.vscodeignore

@@ -0,0 +1,7 @@
+.vscode
+.DS_Store
+*.vsix
+node_modules
+*.js.map
+src/
+tsconfig.json

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Socket Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,23 @@
+# Socket Security Visual Studio Code Extension
+
+This extension provides automatic reporting of security concerns from [Socket Security](https://socket.dev). The features of this extension aim to provide guidance through all stages of development.
+
+## Ahead of Package Installation
+
+* `import` and `require` in Javascript are detected and given summary scores to show concerns with configurable overlays. These overlays will persist even after package installation.
+
+## After Package Installation
+
+Workspaces are against Socket's reporting utilities upon detection of `package.json` files. Note these also run prior to actual installation as the presence in `package.json` is enough.
+
+* `package.json` files and packages listed within are detected and run against more thorough issue reporting to see exact issues. These are listed in the "Problems" tab for easy access.
+
+* `import` and `require` of packages with issues found in reporting are provided hovers which also summarize their issues.
+
+## Pull Requests
+
+* Simplified github application installation is provided as a code lense inside of `package.json` files by detecting the user/organization and setting up the installation workflow automatically with a simple click. These reports are more fully featured and include things such as transitive issue aggregation and diffing from one commit to another. If you want these features please install [the github app](https://github.com/marketplace/socket-security).
+
+# Team Guide
+
+If you are in charge of a team you may wish to setup this up as a recommended extension or other organization level settings. Please refer to our docs.