Integrate the Cortex Cloud code security plugin with your VS Code IDE to enhance security during development. The plugin scans for security policy violations using both default and custom policies, allowing you to identify and resolve issues before committing code, reducing the risk of pull request failures due to undetected problems.
Choose your security level
Enhanced security with Cortex AppSec integration (recommended): For comprehensive security analysis, connect the plugin to Cortex Cloud using your Cortex Cloud API Key and API Key ID (see prerequisites below for more information about API keys). This option provides the full functionality of the platform security features
Basic open-source functionality: If you prefer not to use access credentials, you can still benefit from the plugin’s basic open-source features. These features provide a foundational level of security analysis, helping you identify common vulnerabilities. However, you will not have access to Cortex Cloud
Supported scan categories
The plugin scans these code security categories:
Secrets: Identifies sensitive data embedded in code, such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and pass-phrases
IaC misconfigurations in IaC templates such as Kubernetes and Terraform. For a list of supported IaC frameworks see Supported frameworks
SCA vulnerabilities: Includes security issues in both direct and transitive open-source dependencies
Licenses: Software license noncompliance
Package Integrity: Assesses the operational risk and potential impact of each package in your codebase
Prerequisites
Prerequisites
Before you begin:
Permissions: CLI Read only permissions. Refer to Cortex CLI for more information about permissions
Environment setup
macOS and Windows: Install Python 3.9.x to 3.12.x
Install
Node.js version 22and above for SCA scans (such as vulnerabilities scans)
On the Cortex Cloud console.
Retrieve your access key and URL for authentication purposes when setting up the plugin
Note
When generating an API key, ensure you select the Standard security level.
Retrieve your Cortex Cloud API URL: Navigate to → → →
Installation
You can install the plugin directly through your IDE extensions panel or the Visual Studio Marketplace. After completing the installation, restart your IDE if prompted.
Install through VS Code IDE: → → →
Install from the Visual Studio Marketplace.
Access the Cortex Cloud extension directly on the Visual Studio Marketplace or the Open VSX Registry for VS Code compatible editors.
Select → .
You are redirected to the Cortex Cloud extension on your IDE.
Click .
Configure plugin settings
The configuration process depends on whether you’re using the open-source or proprietary version. For the proprietary version, you will need your Cortex Cloud API Key, API Key ID and and tenant URL to establish a secure connection between your environment and Cortex Cloud. These details authenticate you to your tenant. The open-source project does not require these settings.
Note
Enforcement rules and CA certificates are not applicable to the open-source project.
Access the Cortex Cloud extension settings in one of these ways:
→ → →
→ → →
Fill in the provided fields:
API Key ID (required): The Cortex Cloud access key ID. See Prerequisites above
API Key (required): The Cortex Cloud secret key. See Prerequisites above
Platform URL (required): Your Cortex Cloud URL. See Prerequisites above
Danger
You must insert your API key and API ID values into the Settings before providing the tenant URL.
CLI Version: Leave blank to use the latest CLI version (or enter 'latest'), or specify a version
CLI Path: Specifies the path to the CLI scanner. Recommended: Leave empty to let the extension manage the scanner installation
Disable Error Message Popups: Hide error message popups. You can view errors in the logs via the Open Cortex Cloud Log command
Certificate: Add your Cortex Cloud CA certificate. Format:
.pemfileExample 2. ExamplemacOS/Linux: /Users/your_username/Documents/cacert.pem or ~/Documents/cacert.pem
Windows: C:\Users\your_username\Documents\cacert.pem
Ignore Gitignore files: Selected by default. Files that belongs to paths included in the
• gitignorefile will not be scanned when opened or savedExternal Checks Directory: Provide the path to a folder containing custom security checks
Specific Frameworks: Scan specific frameworks such as
ARM. You can add multiple frameworks using spaces between the values in the command. Refer to Cortex CLI Cortex Cloud Application Security command line reference for more information about framework flagsEnvironment Variables: Define specific environment variables and their values that will be accessible to the security scanner while it performs its analysis
To add variables, select → →
To edit or delete a variable: Select the edit or delete icons next to a variable in the table
UI layout
To view the extension, select the Cortex Cloud tab in the Activity bar. The extension UI layout is as follows:
Left pane: The Security scan panel, which includes these features:
Full Scan button: manually initiate a full scan of your project
Scan results. Features a tree structure displaying detected issues by security category (IaC misconfigurations, Secrets, Vulnerabilities (SCA), and Licenses). Each category expands to reveal folders containing specific issues detected during a scan
Control buttons: Provide access to Settings, Test Connectivity, Full scan play button, and Extension Monitoring, which includes scan history and log files
Middle pane: Code editor. Review your codebase, and view a list of issues related to a file or resource (for IaC misconfigurations), along with remediation options
Right pane: Details panel. Provides a detailed view of a selected issue, including information such as the code difference when available, and remediation options