By integrating the Contrast Security Visual Studio Code extension into your IDE you are able to quickly map vulnerabilities to your source code directly at the file and line number by importing your ( IAST & SCA ) or SAST vulnerabilities from the latest sessions or scans getting actionable information on each of the vulnerabilities found.
-
Comprehensive vulnerability analysis
The extension allows you to connect your IDE to the Contrast Platform and analyse any of your IAST Applications or SAST projects directly within the IDE. See vulnerability summaries right at the file and line number, highlighting the risk and providing a short summary of remediation you can take or follow the link back to the Contrast platform. IAST vulnerabilities are fetched along with SCA library vulnerabilities. -
** Broad language and framework support**
Contrast Security covers commonly supported languages.
- Clone the VS Code plugin repository
- Open the cloned project directory in VSCode
- Install dependencies using npm in the terminal by running
npm install - Build the Project by running
npm run buildin the terminal - Package the plugin using vsce (Visual Studio Code Extension Manager). If not installed, first install vsce by running the command
npm install -g @vscode/vsce - Run the build command
vsce packageto generate the.vsixfile
- Open VS Code.
- Go to the Extensions view
(Ctrl+Shift+X). - Search for Contrast and Click on it to view more details.
- Now Click on the install button on the extension’s page.
- Restart the VSCode if required after installing the Contrast extension. (Optional)
- Launch Visual Studio Code on your system.
- Go to the Extensions view
(Ctrl+Shift+X). - Click the ellipsis
(⋮)in the top-right corner and select Install fromVSIX… - Navigate to the location of the
.vsixfile and select it.
| Issue | ✅ Solution |
|---|---|
| Vulnerabilities are not mapping to the current file | - Ensure the file name matches exactly - Confirm the full file path is correct |
| Why are vulnerabilities listed under the "Unmapped Vulnerabilities" section in the vulnerability report? | Vulnerabilities appear in the Unmapped Vulnerabilities section when essential metadata is missing—specifically: • File path • Line number These details are usually shown in the vulnerability’s Overview section. Make sure you are reviewing the Beview and using the Latest report. Without this metadata, Contrast cannot map the issue to a specific file and line in your code, so they’re grouped here for visibility. |
| Why is there an interlock mechanism implemented in the Contrast plugin? | The interlock mechanism in the Contrast plugin is designed to maintain data consistency and avoid conflicts when working with vulnerabilities in your IDE. 🔄 How it works: - A user can fetch vulnerabilities from only one source type at a time (either Assess or Scan). - If switching source types (e.g., from Assess to Scan), the user is prompted to clear the existing cache before fetching vulnerabilities from the new source type. This ensures that the plugin doesn’t mix data between the two source types, avoiding incorrect mappings or duplicated entries. 🧩 Flexibility across IDEs: Users can still work with different source types for different applications across multiple IDEs without restriction. |
| Why does the Path tab sometimes show a "No Path Found" message under the Library Report? | The "No Path Found" message appears when the specific library is not detected in any manifest file. Expected Behavior: - If the library exists in one or more manifest files, the path(s) will be listed. - If not, the plugin displays "No Path Found" in the Path tab under the Library Report. |
| Why do policy violation icons appear after library vulnerabilities in the Tree View (Library Vulnerability section)? | The policy violation icons indicate libraries that violate organizational rules and are shown after library vulnerabilities for additional context. Icon Types: 1. 🔴 Restricted Licenses (Red Icon) – "Organization prohibits use of this license." 2. 🟠 Restricted Library (Orange Icon) – "This is a restricted library and is flagged as a library policy violation." 3. 🟡 Outdated Library (Yellow Icon) – "Your organization has set rules on allowed library versions to keep applications compatible and secure. Please update and use the latest library available." |
| Why do some libraries appear under Unmapped CVEs in the Library Report? | - Libraries appear under Unmapped CVEs -when they do not have any associated CVEs. - These libraries are listed separately because no known CVEs have been mapped to them |