Introducing SecureFlow Extension to Vibe Code Securely
Discover SecureFlow, a VS Code extension that helps developers write secure code by providing real-time security analysis, vulnerability detection, and guided remediation - all within your editor
Yesterday I demo-ed SecureFlow at DevHouse Waterloo at Builder’s Club, Waterloo. To my surprise, it was well received and I received a lot of positive feedback. If you’re around Kitchener-Waterloo, you should check out DevHouse Waterloo.
With large amounts of code being generated by large language models and sophisticated code generation tools like Claude Code, Windsurf, and GitHub Copilot, it’s more concerning than ever to ensure code security. In my opinion, nobody reads generated code or reviews it for errors, vulnerabilities, or security issues, while manual testing is not a viable option for large codebases.
This led me to think there should be an editor extension that can:
- Profile the workspace to determine the nature of the application
- Capture the current security state of the application
- Analyze code changes from a security perspective
- Help fix identified security issues
SecureFlow extension is an attempt to see if a security-based editor extension fits into my development workflow. Nobody likes having obstacles between writing code, creating pull requests, and merging them. A good example is having trufflehog (one of my favorite OSS tools) running as a pre-commit hook. While trufflehog adds significant value by helping catch secrets in code, it adds an extra bit of friction every time I commit changes.
So, I envisioned an editor extension that can passively sit in the background, read code changes, and alert you when there’s a red flag. Additionally, something like an agent that can spin up and verify issues before reporting them. While it’s a bit of a stretch, I believe it’s a worthwhile approach.
While it’s tempting or pessimistic (thanks to Morgan for this wonderful article) to claim agents can’t verify complex issues like Integer overflow, Use-After-Free, etc., I think it’s valuable to cover the first 20% that captures 80% of the value. This includes basic web vulnerabilities like SQLi, XSS, CSRF, and secrets detection.
Today SecureFlow is in its early stages and manually driven by developers to:
- Profile the workspace to determine the nature of the application
- Capture the current security state of the application
- Analyze code changes from the version control toolbar
The extension is available on the VS Code Editor and Open VSX marketplace for editors like Windsurf, Cursor, etc.
- It is open source
- BYOK aka
Bring Your Own Keyfor supported AI Models (Gemini, Claude, OpenAI, etc) - No private code or data is sent to any server
- PostHog for usage analytics
- it’s optional, make sure to disable it and restart editor if you don’t want to send data to PostHog
While it has many rough edges, if you try it out and find any issues, please open an issue on GitHub. Your feedback is valuable for improving SecureFlow.