A Visual Studio Code extension to aid code reviews from a security perspective.

Security Notes allows the creation of notes within source files, which can be replied to, reacted to using emojis, and assigned statuses such as "TODO", "Vulnerable" and "Not Vulnerable".

Also, it allows importing the output from SAST tools (currently only Semgrep) into notes, making the processing of the findings much easier.

Finally, collaborate with others by using a centralized database for notes that will be automatically synced in real-time! Create a note locally, and it will be automatically pushed to whoever is working with you on the project.

Download the extension directly from the Visual Studio Marketplace and you should be ready to go :)

Please follow any of the alternatives below:

• Download the latest release file (with the .vsix extension) and install manually in VSCode via Extensions > Install From VSIX
• Build the extension yourself
  • Clone the repo
  • Install VS Code Extension Manager via npm install -g @vscode/vsce
  • Create a .vsix package via vsce package

Security Notes allows the creation of notes within source files, which can be replied to, reacted to using emojis, and assigned statuses such as "TODO", "Vulnerable" and "Not Vulnerable".

By default your notes are backed up in a JSON file once you close VSCode. Once you open the project again, saved comments are loaded and shown on the UI.

Because chasing bugs with friends is more fun :)

Security Notes allows sharing of notes in real-time with other users. To do so, it leverages the RethinkDB real-time database.

First, make sure you have a RethinkDB database instance up and running. Then set your author name, and the database connection information in the extension's settings, and you are ready to go! Please see the section below for more details).

Collaboration mode in action:

We recommend following instructions in RethinkDB installation guide. Additionally, following hardening steps, such as setting a password for the admin user and setting up SSL/TLS, are strongly encouraged.

Naturally, you will want to collaborate with remote peers. To do so in a secure way, we recommend setting up access to RethinkDB via SSH or through a VPN like Tailscale. This way, you avoid having to expose the instance to any network, and also ensuring information in transit is encrypted.

Important Notices: When collaborating with others, ensure that all VSCode instances open the project from the same relative location. For example, if the source code repository you're reviewing has a directory structure like source_code/app/src, all peers should open VScode at the same level. Security Notes will store note location using relative paths, so they should be consistent. Also, after enabling the collaboration setting, VSCode would need to be restarted/reloaded for the change to have effect.

The extension allows you to import the output from SAST tools (currently only Semgrep) into notes, making the processing of the findings much easier:

Various settings for the extension can be configured in VSCode's User Settings page (CMD+Shift+P / Ctrl + Shift + P -> Preferences: Open Settings (UI)):

We welcome contributions to Security Notes! These are the many ways you can help:

• Report bugs
• Submit patches and features
• Add support for additional SAST tools
• Follow us on Twitter :)

• Clone the repo
• Run npm install to install dependencies
• Run the Run Extension target in the Debug View. This will:
  • Start a task npm: watch to compile the code
  • Run the extension in a new VS Code window

This project is based on the comment-sample extension.

Additionally, the code for the note reactions was inspired by comment-reactions.

Licensed under the MIT License.