Skip to main content

Contrast Visual Studio Code plugin

Use the Visual Studio Code plugin to see vulnerability information for instrumented applications from Visual Studio Code environments when Contrast discovers security problems during functional tests.

The plugin shows you an overview of all vulnerabilities found in the application, as well as details for each vulnerability, like the HTTP request that exposed the vulnerability to Contrast.

The plugin supports Visual Studio Code versions 1.42.1 and later.


Integrations are to be used with Contrast Assess.

To install, configure and use the Visual Studio Code plugin:

  1. In Visual Studio Code, go to the Extensions view and search “Contrast Security”.

  2. Select Install. After installation, restart Visual Studio Code.

  3. To authenticate to your Contrast account, select the Settings icon in the Contrast Security view.

  4. Select Workspace and enter your API keyOrganization IDContrast URL, and Authorization header. You can find these values in your profile.

  5. Select Test Contrast connection to validate your credentials. You will see a message that confirms either a successful connection or invalid credentials.

  6. Select the Refresh icon to update vulnerability information. Under Contrast Security, you can see vulnerabilities grouped by Severity and ordered by Status. Select a vulnerability to view more details like How to FixHTTP InformationDetails, and Overview .

    You can also see when the vulnerability was last detected and the current status. Vulnerability details display in the code editor under Output.


With the plugin, you can filter vulnerabilities by:

  • Vulnerability metadata:

    • Application name

    • Status (such as Reported, Not a Problem, Remediated)

    • Environment (development, test, or production)

    • Tags (custom labels applied to vulnerabilities)

    • Detection date (specifically, First and Last detected)

  • Session metadata:

    • Committer

    • Commit hash

    • Branch name

    • Git tag

    • Repository

    • Test run

    • Version

    • Build number

For example, you can choose to display only those vulnerabilities found on a specific feature branch (Branch Name) and committed directly by you (Committer), filtering out vulnerabilities introduced by a different developer on a separate feature branch.

Someone else can choose to filter vulnerabilities so that they only see results from a specific build (Build Number) that was blocked by their security team. They can immediately pinpoint the subset of vulnerabilities that need to be resolved before deploying the merged feature branch.