Skip to main content

LSP server + VSCode extension

Vulkro ships a Language Server Protocol server (vulkro-lsp) and a thin VSCode extension that consumes it.

The LSP surfaces vulkro findings inside your editor as diagnostics, with hover-to-explain and quick-fix code actions for the handful of categories Vulkro can patch automatically.

Install

The vulkro-lsp binary is installed alongside vulkro by the install script. The VSCode extension is distributed separately - contact the Vulkro team for access.

What you get

  • Diagnostics on save. Open any Python / JS / TS / Go / Ruby / Java / Kotlin / C# / PHP file inside a project with a .git, Cargo.toml, package.json, or pyproject.toml root marker. Save the file. Vulkro re-scans the project root and surfaces findings under the cursor.

  • Hover to explain. Hovering a diagnostic surfaces the confidence_reason, remediation, and code_snippet in a Markdown popup.

  • Quick-fix code actions for three categories:

    • cors-wildcard (replace * with allow-list)
    • debug-mode-on (flip DEBUG=True / app.debug = True off)
    • hardcoded-secret (move literal into process.env / os.environ lookup)

    Other categories are listed without an automated fix.

Settings

SettingDefaultPurpose
vulkro.lspPathvulkro-lspOverride the binary path (e.g. for a vendored install).

How the LSP talks to the scanner

The LSP runs the scan in-process - no subprocess, no JSON-over-pipe.

That means the LSP gets the same detection results as the CLI, including:

  • The full extractor set (Python / Node / TS / Go / Ruby / Java / Kotlin / C# / PHP).
  • The auth model (AuthTier, AuthRequirement, TenantScoping).
  • Reachability gating, taint analysis, cross-service correlation, the lot.

It also inherits the CLI's --min-confidence high default, so the findings stream the editor surfaces is the same one CI would surface.

Performance

Today the LSP re-scans the whole project root on every save. For a 5k-file repo that's typically 1-3 seconds; for a 50k-file monorepo it can be 10-30 seconds. Incremental scanning is wired in the engine and benefits subsequent saves dramatically; the first save after opening the editor is the expensive one.

If you want a faster feedback loop, run vulkro scan . --watch (documented in CLI -> scan) in a side terminal. A LSP-native watch mode is on the roadmap.

Disabling the background update check from inside the editor

The LSP server does not trigger the vulkro-cli update-check thread (those are separate processes). But if you want to suppress all network egress from this binary, set:

// settings.json
"terminal.integrated.env.osx": {
  "VULKRO_NO_UPDATE_CHECK": "1",
  "VULKRO_OFFLINE": "1"
}

(Adapt osx -> linux / windows as needed.)

What this isn't (yet)

  • No standalone JetBrains plugin. The LSP works with any LSP-aware editor in principle (Neovim's nvim-lspconfig, Helix, Zed). VSCode is the only one with a packaged extension today.
  • No project-wide quick-fixes. Code actions are per-finding; a "fix all CORS wildcards in this repo" command is not wired.
  • No real-time as-you-type diagnostics. Triggered on save, not on every keystroke.
  • vulkro scan - the CLI front-door that produces the same findings the LSP surfaces.
Last updated on