Skip to main content

Use the Contrast Visual Studio Code plugin with Contrast

Use the Contrast Visual Studio Code IDE (Integrated Development Environment) plugin to integrate security vulnerabilities with Contrast Assess and Contrast Scan. It provides comprehensive information about vulnerabilities associated with projects (Contrast Scan) and applications (Contrast Assess) on a near real-time basis.

Key features

  • Vulnerability report

    • Lets you view vulnerabilities associated with applications for Contrast Assess and projects in Contrast Scan.

    • Provides filters such as severity, status, and discovery dates to refine the search on the vulnerability list.

  • Current file

    • Provides a tree view of the list of vulnerabilities associated with the current file open in the IDE with visual indicators based on criticality.

    • Provides the ability to navigate to a line of code with contextual annotations.

  • Detailed vulnerability information

    • Contrast Assess provides in-depth details about each vulnerability, such as remediation steps, event logs, and options to mark or categorize the issue.

    • The user interface provides a seamless navigation of the associated details related to each vulnerability in a dedicated tab view to enhance the user experience.

  • Schedulers

    • Automates fetching of vulnerabilities for applications (for Contrast Assess) and projects (for Contrast Scan) based on a configurable schedule without manual intervention

Before you begin

  • Make sure you have the supported system requirements:

    • CPU: Quad-core

    • RAM: 16 GB

    • Storage: SSD, 128 GB

    • Monitor: 1080p

  • Make sure you are using supported software versions:

    • Visual Studio Code IDE 1.96.0, 1.97.0, or 1.98.0

    • Windows 11, Ubuntu 22.04.5 LTS, or Mac OS Sequoia 14.x

    • Node.js 20.17.0

Install the Visual Studio Code plugin

  1. In Visual Studio Code, go to the Extensions view (CTRL + Shift + X or Command + Shift + X) and search for Contrast Security.

  2. Select Contrast IDE and select Install.

    After installation, restart Visual Studio Code.

  3. In the left navigation, select the Contrast icon (icon-VSCode-plugin.png).

  4. In the activity bar, select Contrast Settings.

  5. Enter your API keyOrganization ID and Contrast URL, . You can find these values in your Contrast profile.

  6. Select Retrieve

    If the selected source is Assess, the plugin displays this message: Application Retrieved Successfully. If the selected source is Scan, the plugin displays this message: Project Retrieved Successfully.

Use the Visual Studio Code plugin with Contrast Assess

  1. In Visual Studio Code, in the left navigation, select the Contrast icon (icon-VSCode-plugin.png).

  2. In the activity bar, select Contrast Settings.

  3. In Contrast Settings, select Assess as the Source.

  4. Select the application you want to assess and select Add.

  5. Optionally, set the Vulnerability Refresh Cycle to manage the frequency of auto-refreshing vulnerability details.

  6. Select Retrieve to retrieve the application list.

  7. Select Contrast Assess.

  8. Select the Retrieve Vulnerability tab.

  9. Select filters and then retrieve the vulnerabilities for the configured application:

    • In the Application dropdown, select an application.

    • Optionally, select any of these filters: build number, severity, status, filter time frame, or session metadata (if configured for the application).

  10. Select Run.

  11. View results in the Vulnerability Report tab.

    1. To view additional details about a specific vulnerability, select it.

      This action opens a set of tabs where you can view the details.

    2. In the Overview tab, view the details for the first detected date, the last detected date, the cause for the vulnerability, and the risk associated with the vulnerability.

    3. In the How to Fix tab, view remediation instructions to fix the vulnerability.

    4. In the Events tab, view a summary of the events for\ the vulnerability.

      Based on the type of the event, the event status is displayed.

    5. In the Http Request tab, view whether the issue is fixed.

      If it isn't fixed, the issue reappears with a status of Reported

    6. In the Tags tab (icon-tag.svg), view the list of tags in the organization as well as tags for the vulnerability.

      You can also create a new tag for the vulnerability.

    7. In the Mark as tab, view all the status values in the dropdown.

      Select any value and add a comment for a selected vulnerability.

    8. To view the details in the Contrast web interface, select the Redirect (outline_open_in_new_black_24dp.png) icon.

    9. To manually refresh the displayed details, select the Refresh (icon-restart.svg) icon.

  12. View the vulnerabilities associated with the active open file in the IDE in the Current File tab.

    1. In the Status bar at the bottom of the Current File tab, view the total number of vulnerabilities in the file, according to severity (Critical, High, Medium, Low, or Note).

    2. View details of a specific vulnerability by selecting it. This action takes you to the line of code where Contrast found the vulnerability.

    3. To view details about severity, advice, last detected date, status, and more options, hover on the line of vulnerability.

Use the Visual Studio Code plugin with Contrast Scan

  1. In Visual Studio Code, in the left navigation, select the Contrast icon (icon-VSCode-plugin.png).

  2. In the activity bar, select Contrast Settings.

  3. In Contrast Settings, select Scan as the Source.

  4. Select Retrieve. to retrieve the project list.

  5. Select a project you want to scan and select Add.

  6. To edit the credentials for a project:

    1. Select it in the table

    2. Select the Edit (icon-edit.svg) icon.

    3. Change the credentials and select Update.

  7. To delete a project, select the project in the table and select the Delete (icon-delete.svg) icon.

  8. To run a scan:

    1. Verify that you have the code project open in the IDE and that the project name matches the name in Contrast Scan.

      Note

      The relative path in the IDE must match what is in Contrast Scan so it can make vulnerability inferences.

    2. In the activity bar, select Contrast Scan.

    3. In the Filter tab, select filters for status and severity.

    4. Select Run.

  9. To view results:

    1. Select the Vulnerability Report tab.

      To view details for severity, advice, last detected date, status and more options, hover on the line of vulnerability.

    2. In the Current File tab, view insights about a vulnerability in the current file.

      You can select the severity levels (Critical, High, Medium, Low) in the VSCode status bar to open the Current File tab.

  10. To view vulnerabilities for a specific project when multiple projects are open:

  11. If you have multiple projects open in the workspace, move the project you want to view to the first position in the VS Code IDE.

    This action automatically updates the Scan project select in the Contrast Settings view.

In this section: