Problem
Developers want security feedback while writing code, not after pushing to CI. Inkog currently works in VSCode through the MCP server integration with GitHub Copilot, but this requires Copilot and manual invocation. A native VSCode extension would provide real-time inline diagnostics, problems panel integration, and gutter icons — the same experience developers expect from ESLint or Pylint, but for AI agent security.
Current Behavior
- ✅ MCP server (
@inkog-io/mcp on npm) works with Claude Desktop and GitHub Copilot in VSCode
- ✅ CLI can be run manually from the terminal
- ❌ No native VSCode extension
- ❌ No inline diagnostics or problems panel integration
- ❌ No real-time scanning on file save
Proposed Solution
Build a native VSCode extension that wraps the Inkog CLI:
Core features
- Diagnostics provider — Run
inkog -output json on file save, parse findings, display as inline squiggles (red=CRITICAL, orange=HIGH, yellow=MEDIUM)
- Problems panel — Register findings with VSCode's diagnostic collection for the standard problems view
- Code actions — Quick-fix suggestions based on finding remediation text
- Status bar — Show scan status and finding count in the status bar
- Configuration — Settings for policy preset, severity threshold, scan-on-save toggle
Architecture
VSCode Extension (TypeScript)
├── Calls: inkog CLI binary (must be installed)
├── Parses: JSON output from -output json
├── Provides: DiagnosticCollection, CodeActionProvider
└── Config: extension settings → CLI flags
Extension settings
{
"inkog.policy": "balanced",
"inkog.severity": "MEDIUM",
"inkog.scanOnSave": true,
"inkog.cliPath": "inkog"
}References
Notes
- The extension should wrap the CLI binary, not embed detection logic (maintaining the dumb-client pattern)
- JSON output already includes
file, line, severity, description, remediation — everything needed for diagnostics
- Consider workspace-level caching to avoid re-scanning unchanged files
- The MCP server integration should remain as a complementary option for Copilot Chat users
- This could live in a new
inkog-vscode/ directory in the monorepo or a separate repository
Problem
Developers want security feedback while writing code, not after pushing to CI. Inkog currently works in VSCode through the MCP server integration with GitHub Copilot, but this requires Copilot and manual invocation. A native VSCode extension would provide real-time inline diagnostics, problems panel integration, and gutter icons — the same experience developers expect from ESLint or Pylint, but for AI agent security.
Current Behavior
@inkog-io/mcpon npm) works with Claude Desktop and GitHub Copilot in VSCodeProposed Solution
Build a native VSCode extension that wraps the Inkog CLI:
Core features
inkog -output jsonon file save, parse findings, display as inline squiggles (red=CRITICAL, orange=HIGH, yellow=MEDIUM)Architecture
Extension settings
{ "inkog.policy": "balanced", "inkog.severity": "MEDIUM", "inkog.scanOnSave": true, "inkog.cliPath": "inkog" }References
@inkog-io/mcpon npmNotes
file,line,severity,description,remediation— everything needed for diagnosticsinkog-vscode/directory in the monorepo or a separate repository