← Back to Blog
launchsecurityvscode

Introducing CodeVigil: Security Scanning Built for the Copilot Era

BitsPlus Team·

The Problem Nobody Talks About

Every day, millions of developers write code with the help of AI assistants. GitHub Copilot, ChatGPT, Claude. These tools have fundamentally changed how we build software. They make us faster, more productive, and more confident. But there is an uncomfortable truth lurking beneath the surface: AI-generated code is not always secure.

Stanford researchers found that developers using AI assistants produce code with significantly more security vulnerabilities than those writing code manually. A separate study from the University of Montreal showed that roughly 40% of AI-generated code snippets contain at least one exploitable vulnerability. And yet, most developers accept AI suggestions with a single Tab press and move on.

This is the gap CodeVigil was built to close.

What Is CodeVigil?

CodeVigil is a VS Code extension that performs real-time, triple-check security scanning directly inside your editor. There is no CI pipeline to set up and no subscription required to get started. Install it from the VS Code Marketplace, and you are immediately protected by 100+ vulnerability patterns across 10 languages.

Unlike traditional SAST (Static Application Security Testing) tools that run in your CI/CD pipeline and report results minutes or hours later, CodeVigil works in real-time. The moment you type a vulnerable pattern (or accept one from Copilot), CodeVigil flags it with an inline diagnostic, explains the risk, and suggests a fix.

Why We Built This

The BitsPlus team has spent years working in application security. We have seen the same story play out again and again: a development team ships fast, a penetration test uncovers dozens of vulnerabilities months later, and the team scrambles to fix issues that could have been caught at the point of creation.

The introduction of AI coding assistants added a new dimension to this problem. Now developers are not just writing insecure code themselves; they are accepting insecure code from an AI that sounds confident about every suggestion it makes. The feedback loop between writing vulnerable code and discovering it is still measured in weeks or months.

We asked ourselves: what if you could catch vulnerabilities the instant they appear in your editor? What if security scanning was as natural as syntax highlighting? That is the vision behind CodeVigil.

Key Features

Zero-Config Security Scanning

Install CodeVigil and it starts working. There are no configuration files to create, no rulesets to download, and no accounts to sign up for. It detects your project's languages automatically and applies the relevant security patterns. TypeScript, Python, Java, C#, Go, PHP, Ruby, C/C++, Kotlin. It just works.

100+ Vulnerability Patterns

CodeVigil ships with a curated library of 100+ vulnerability patterns covering SQL injection, cross-site scripting, command injection, path traversal, insecure cryptography, hardcoded secrets, and dozens of other common security issues. Each pattern has been hand-tuned to minimize false positives while catching real vulnerabilities.

Copilot Chat Integration

Type @codevigil in the GitHub Copilot Chat panel and you can ask natural-language questions about the security of your code. "Is this function vulnerable?" "What OWASP category does this fall under?" "How do I fix this SQL injection?" CodeVigil brings security expertise into the conversational AI workflow you already use.

Local CVE Database

CodeVigil includes a local database of over 130,000 known CVEs, updated automatically in the background. The database syncs incrementally, so updates are fast and bandwidth-friendly.

Severity-Ranked Diagnostics

Not all vulnerabilities are created equal. CodeVigil ranks every finding by severity (Critical, High, Medium, or Low) using the same CVSS-based scoring methodology used by enterprise security tools. Critical findings are flagged immediately with red diagnostics; low-severity informational findings use subtle green indicators.

SARIF Export (Pro)

For teams that need to integrate security findings into their existing workflows, CodeVigil Pro supports exporting scan results in the SARIF (Static Analysis Results Interchange Format) standard. This makes it easy to feed results into GitHub Advanced Security, Azure DevOps, or any other tool that supports SARIF.

How It Works

Under the hood, CodeVigil uses a pattern-matching engine optimized for real-time analysis. When you open or edit a file, CodeVigil parses the code and runs it through language-specific vulnerability detectors. Each detector is designed to identify a specific class of vulnerability. For example, the SQL injection detector for Python looks for string interpolation and concatenation inside database query calls.

Findings appear as native VS Code diagnostics, just like TypeScript errors or ESLint warnings. You can hover over a finding to see a detailed explanation, click through to a fix suggestion, or open the Copilot Chat panel for a deeper conversation about the vulnerability.

Under the hood, CodeVigil uses a three-layer scanning pipeline: regex pattern matching catches common vulnerability signatures, AST structural analysis understands code context and data flow, and GitHub Copilot LLM verification reduces false positives by reasoning about whether a finding is a genuine risk. This triple-check approach catches issues that single-pass tools miss.

What CodeVigil Is (and Is Not)

Let us be upfront: CodeVigil is not meant to replace your CI/CD security pipeline. If your organization runs Semgrep, CodeQL, or another enterprise SAST tool, those tools serve an important purpose and CodeVigil is not trying to compete with them. Enterprise security platforms offer deep custom rule authoring, organization-wide policy enforcement, and compliance reporting that are outside our scope.

What CodeVigil does is catch issues *before* code even gets to that pipeline. It is the security tool that lives where you actually write code (your editor) and gives you instant feedback while the context is fresh. Think of it as the spell-checker to your CI pipeline's copy editor: both are valuable, and catching mistakes early makes everything downstream faster.

For individual developers and small teams who may not have an enterprise security pipeline at all, CodeVigil provides a remarkably comprehensive safety net in a single extension: real-time vulnerability scanning across 10 languages, dependency CVE checking, secret detection, and (uniquely) a Copilot Chat integration that lets you discuss security issues in natural language. No other free tool combines all of this in one package.

Free vs Pro

CodeVigil's core functionality is completely free. The free tier includes all 100+ vulnerability patterns, the local CVE database, real-time diagnostics, and Copilot Chat integration. We believe every developer deserves access to basic security scanning regardless of their budget.

CodeVigil Pro, available for $4.99 per month or $39 per year, adds advanced features for professional developers and teams: a security dashboard with historical trends, SARIF export for CI/CD integration, priority pattern updates, and team management features. There is also a $99 lifetime license for early adopters who want to lock in access permanently.

Get Started in 60 Seconds

Getting started with CodeVigil takes less than a minute:

  1. Open VS Code and go to the Extensions panel
  2. Search for "CodeVigil" and click Install
  3. Open any project and CodeVigil starts scanning automatically
  4. Type @codevigil in Copilot Chat to ask security questions

That is it. No API keys, no configuration files, no sign-up forms. Just install and go.

What Is Next

This launch is just the beginning. Our roadmap includes support for additional languages, custom rule authoring, workspace-level security policies, and deeper integration with CI/CD platforms. We are also exploring partnerships with security training providers to offer just-in-time learning when developers encounter unfamiliar vulnerability types.

We built CodeVigil because we believe security should be a natural part of the developer experience, not an afterthought bolted on at the end of the pipeline. If you write code in VS Code and want an easy way to catch common vulnerabilities as you type, give CodeVigil a try.

Install CodeVigil from the VS Code Marketplace today and start writing more secure code.

← All Posts