VS Code extension for Mixeway Flow — a security scanning platform that detects vulnerabilities in your code repositories (SAST, SCA, IaC, Secrets).
- Automatic Repository Detection — reads
.gitremote URL and matches it with a repository registered in Flow - Security Findings Sidebar — displays vulnerabilities grouped by severity (Critical / High / Medium / Low) in a dedicated activity bar panel
- File Navigation — click on a finding to navigate directly to the affected file and line
- Editor Diagnostics — findings appear as warnings/errors in the VS Code Problems panel and as inline squiggles
- Run Scans — trigger a security scan from VS Code (default branch or a specific branch)
- Suppress / Reactivate — manage finding lifecycle directly from the IDE (right-click context menu)
- Finding Details — view full vulnerability details including description and recommendations in a webview panel
Install from .vsix or from the VS Code Marketplace (once published):
code --install-extension mixeway-flow-0.1.0.vsixOpen VS Code Settings (Cmd+, / Ctrl+,) and search for Mixeway Flow:
| Setting | Description |
|---|---|
mixewayFlow.url |
URL of your Mixeway Flow instance (e.g. https://flow.example.com) |
mixewayFlow.apiKey |
API Key for authentication (generate from your Flow user profile) |
Or add to settings.json:
{
"mixewayFlow.url": "https://flow.example.com",
"mixewayFlow.apiKey": "your-api-key-here"
}Open a workspace that contains a git repository registered in Mixeway Flow. The extension will:
- Read the git remote URL (
origin) - Search for a matching Code Repository in Flow
- Load and display security findings
The Mixeway Flow shield icon in the activity bar opens the Security Findings panel. Findings are grouped by severity with icons indicating the source:
$(code)— SAST (Static Application Security Testing)$(package)— SCA (Software Composition Analysis)$(server)— IaC (Infrastructure as Code)$(key)— Secrets Detection
| Command | Description |
|---|---|
Mixeway Flow: Refresh Findings |
Reload findings from Flow |
Mixeway Flow: Run Security Scan |
Start a scan (default or specific branch) |
Mixeway Flow: Configure Connection |
Open extension settings |
Mixeway Flow: Suppress Finding |
Suppress a finding with a reason |
Mixeway Flow: Reactivate Finding |
Reactivate a suppressed finding |
Mixeway Flow: Show Finding Details |
Open a detailed view of a finding |
Right-click on a finding in the sidebar to:
- Suppress — mark as false positive, accepted risk, not applicable, or won't fix
- Reactivate — revert a suppressed finding
- Show Details — open full vulnerability information
# Install dependencies
npm install
# Watch mode (auto-rebuild on changes)
npm run watch
# Build for production
npm run build
# Package as .vsix
npm run packagesrc/
├── extension.ts # Entry point, commands, lifecycle
├── api/
│ └── flowClient.ts # HTTP client for Flow REST API
├── models/
│ └── types.ts # TypeScript interfaces and enums
├── providers/
│ └── findingsTreeProvider.ts # Tree view data provider
└── utils/
└── git.ts # Git remote URL detection
| Endpoint | Purpose |
|---|---|
GET /api/v1/coderepo |
List repositories |
GET /api/v1/coderepo/{id}/findings |
Get findings for a repository |
GET /api/v1/coderepo/{id}/finding/{fid} |
Get finding details |
GET /api/v1/coderepo/{id}/run |
Trigger scan (default branch) |
POST /api/v1/coderepo/{id}/run/branch |
Trigger scan (specific branch) |
GET /api/v1/coderepo/{id}/supress/{fid}/reason/{reason} |
Suppress a finding |
POST /api/v1/coderepo/{id}/supress |
Bulk suppress findings |
GET /api/v1/coderepo/{id}/reactivate/{fid} |
Reactivate a finding |
GET /api/v1/coderepo/{id}/git-branches |
List remote branches |
MIT