Snyk Blog

Vuln Cost: Effortless finding vulnerabilities in npm packages with VS Code

Written by:
Brian Vermeer
Brian Vermeer
wordpress-sync/Vul-costs

April 2, 2020

0 mins read

Editor’s note (Nov. 23, 2021):

The Vuln Cost extension is no longer being actively maintained. While you can continue to use this extension until it is officially deprecated, we recommend you install the official Snyk Vulnerability Scanner extension. This new extension provides all the functionality supported by Vuln Cost and enables you to find and fix issues in both your open source dependencies and your custom code.

Visual Studio Code is probably the most widely-used code editor for JavaScript developers. As 80 or maybe even 90 percent of the code developed is heavily dependent on open source packages, developers need to know what these packages do. Do you, for instance, know for all the packages you import if they contain known security vulnerabilities? The free, open source, Vuln Cost extension for VS Code can help you with this.

DOWNLOAD VULN COST FOR VS CODE

When adopting DevSecOps, developers also need to be aware of security issues. Specifically, when looking at the package you import from the “big bad” internet, the Vuln Cost extension for VS Code gives you instant feedback on possible security issues.The Vuln Cost extension shows you inline how many vulnerabilities a specific package contains the moment you import it into your code. 

wordpress-sync/vulncost-600

If the package does not have any known vulnerabilities, Vuln Cost will not bother you at all. Only the package containing vulnerabilities is inline decorated by Vuln Cost. The quick fix has an option that takes you to a resource page about the vulnerabilities in this project.

Importing package in HTML from your favorite CDN

Another feature Vuln Cost supports is the scanning of HTML files. Importing scripts from your CDN’s — like UNPKG — will be scanned in a similar way as the npm package mentioned above. This way you are not surprised by vulnerabilities, even if you don’t use npm.

vuln-cost-html-scan

More actionable information

vuln-cost-actionalbe-information

The Vuln Cost extension is easy to use and, most importantly, free. Install it from the VSCode marketplace and you are ready to go.  For the basic functionality, you don’t need even need to register. However, if you want more actionable information you can sign up for a free Snyk OSS account. Not only can Snyk help you secure your whole project in many different ways, but it also boosts the Vuln Cost extension.

By signing up or using an already existing free Snyk account, Vuln Cost gives you a breakdown of the vulnerabilities. Most importantly it shows you if the vulnerabilities found have a low, medium or high severity. Next to this, it can show you more information about this vulnerability of where the security issues exist in your project. This might be in a direct or a transitive dependency. Last but not least where possible it provides you with package upgrade advice to the closest version containing a fix for your vulnerabilities.

Remember, these more actionable features in Vuln Cost are, again, totally free. Just signing up freemium Snyk account is enough to enable it.Download the Vul Cost extension for VS Code

Download Vuln Cost for VS Code!

Live Hack: Exploiting AI-Generated Code

Gain insights into best practices for utilizing generative AI coding tools securely in our upcoming live hacking session.

Register now

Posted in:Open Source Security, Application Security
wordpress-sync/Vul-costs

Guide to Choosing a SAST Solution

See the process for assessing, selecting, and implementing a modern SAST solution based on a four phase process and find the best fit for your specific security needs.

See the guide
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon