SecureFlag Findings2Training Extension for VS Code

SecureFlag Findings2Training is a Visual Studio Code extension that watches for security issues in your code workspace and automatically recommends the right training articles and hands-on practice labs to help you understand and fix them.

Pre-Requisites

Before installing, make sure you have the following ready:

1. Visual Studio Code 1.83.0 or later.
2. A SecureFlag API Access Token.
3. A security scanner running in your workspace.
   

Installation

1. Open Visual Studio Code.
2. Navigate to the Extensions icon in the left sidebar.
3. Type SecureFlag Findings2Training in the search box and install the extension.

Additionally, the extension package can be downloaded from the Open VSX Registry and installed manually on other VS Code-based IDEs that don’t support the VS Code Extension Marketplace.

Settings

Setting Up Your API Token

For the extension to authenticate with SecureFlag, you need to generate an API Key from the SecureFlag Management Portal.

Generate Your Token

1. Open the SecureFlag Management Portal.
2. Navigate to the Settings icon on the top right and click it.
3. From the API Access Tokens section, generate a token with either Read knowledge base or Full Access scopes.
   

Add Your Token

1. Open the Command Palette in VS Code by pressing Ctrl+Shift+P (Windows/Linux) / Cmd+Shift+P (macOS).
2. Find and select SecureFlag Findings2Training: Open Settings and click it.
3. You'll be taken directly to the extension's settings page. Paste your API Access Token into the Findings2training: Api Access Token field.
   

That's all the setup you need to get started. The extension will begin working automatically from this point on.

Configuring a Proxy (Optional)

If your organization routes internet traffic through a proxy server, you'll need to tell the extension about it so it can reach the SecureFlag API.

1. Follow the same steps as above to open SecureFlag Findings2Training: Open Settings.
2. Enter your proxy address in the Findings2training: Proxy field.

Note: The URL must begin with http:// or https://. If you're unsure of your proxy address, check with your IT or network team.

If you don't use a proxy, leave this field blank.

Usage

Here's how it works behind the scenes:

1. Your security scanner (e.g., Snyk, Semgrep, etc) analyzes your code and raises warnings in VS Code's Problems panel.
2. SecureFlag Findings2Training detects those warnings and sends the issue descriptions to the SecureFlag API.
3. The API matches each issue to the most relevant training article and practice lab in the SecureFlag library.
4. The results appear directly in your editor, as inline Quick Fix suggestions and in a dedicated results panel.
   

Automatic Analysis

Once you have your API token configured and a security scanner active, the extension runs on its own.

1. Whenever security warnings appear or change in your workspace, the extension will pick them up and run an analysis in the background.
2. While analysis is in progress, you'll see a small spinner in the bottom status bar.
3. When it disappears, the analysis is complete, and the results are ready to use.

Manual Analysis

If you'd like to run an analysis on demand, you can do so at any time:

1. Open the Command Palette (Ctrl+Shift+P / Cmd+Shift+P).
2. Find SecureFlag Findings2Training: Analyze Security Problems and click it.

After the analysis finishes, a panel will open beside your editor listing all the security vulnerabilities found in your workspace, along with links to relevant training and practice labs.

If no security issues are detected, a message will confirm that your workspace looks clean.

Using Quick Fixes in the Editor

For every security warning that the extension has matched to training content, you'll see a Quick Fix option appear directly in your code editor.

How to Use it?

1. Place your cursor on a line that has a security warning (usually underlined or highlighted by your scanner).
2. Press Alt+Enter (Windows/Linux) or Opt+Enter (macOS), or click the lightbulb icon (💡) that appears near the line.
   
3. You'll see up to two options from SecureFlag Findings2Training:
   
   
   

   Option	What it does
   View Training: <Vulnerability Name>	Opens a training article for this specific vulnerability inside VS Code.
   Practice Lab: <Vulnerability Name>	Opens a hands-on practice lab in your web browser so you can practice fixing this type of issue.

   
   

Tip: If you don't see these options immediately after a new warning appears, wait a moment for the background analysis to complete, then try again.

Viewing Results

When you open a training article, it loads in a panel alongside your editor, so you can read and code at the same time without switching windows.

The training panel includes:

1. A full explanation of the vulnerability.
2. Code examples showing what the issue looks like and how to fix it.
   

To open a lab instead, click Practice Lab from the Quick Fix menu. The lab will open in your default web browser.

Troubleshooting

No Results Are Showing Up

1. Double-check that your API Access Token is entered correctly in settings.
2. Make sure a security scanner is installed and producing warnings in the Problems panel (Ctrl+Shift+M / Cmd+Shift+M). If the Problems panel is empty or shows no security warnings, the extension has nothing to analyze.
3. Try running the analysis manually using the Analyze Security Problems command to see if results appear.
   

The Quick Fix Options Aren't Appearing On A Warning Line

1. Quick Fix options only appear after the extension has successfully matched that warning to training content. Wait for the status bar spinner to finish, then try again.
2. If the spinner never appears, verify your API token and network connection.
   

Privacy

SecureFlag Findings2Training is designed with your privacy in mind. When analysing your workspace, the extension sends only the text of the security warning messages to the SecureFlag API.

Your source code is never sent. No file contents, variable names, credentials, or personal information leave your machine.

• Related Articles

• SecureFlag Analyzer Extension for VS Code

  AI-powered vulnerability detection, right in your IDE. Overview The SecureFlag Analyzer extension integrates into VS Code to deliver real-time security analysis as you code. Powered by advanced LLMs (Anthropic and ChatGPT), it detects potential ...

• SecureFlag Findings2Training Plugin for IntelliJ IDEA

  SecureFlag Findings2Training is an IntelliJ IDEA plugin that watches for security issues in your project and automatically recommends the relevant training articles and hands-on practice labs to help you understand and fix them. Prerequisites Before ...

• SecureFlag Analyzer Plugin for IntelliJ IDEA

  AI-powered vulnerability detection, right in your IDE. Overview The SecureFlag Analyzer plugin integrates with IntelliJ IDEA to deliver real-time security analysis as you code. Powered by advanced LLMs (Anthropic and ChatGPT), it detects potential ...

• SecureFlag GitLab Integration

  Contextual software security microtraining for GitLab's vulnerability reports, powered by the SecureFlag Knowledge Base. With our GitLab integration you can receive links to SecureFlag training related to the vulnerability identified in a ...

• SecureFlag ThreatCanvas for Jira

  AI-powered threat modelling -- for Jira Cloud and Jira Data Center! SecureFlag ThreatCanvas for Jira Cloud and Jira Data Center enables developers to easily generate threat models from issues describing new features or changes to be made. ...