← All Docs

FAQ & Troubleshooting

Common questions and solutions for CodeVigil users.

Frequently Asked Questions

Is CodeVigil free?

Yes. CodeVigil's core features are completely free: 100+ vulnerability patterns across 10 languages, real-time scanning, the local CVE database, and Copilot Chat integration. CodeVigil Pro adds advanced features like the security dashboard, SARIF export, and team configuration for $4.99/month, $39/year, or a $99 lifetime license.

Which languages are supported?

CodeVigil supports 10 languages: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, C/C++, and Kotlin.

What is MCP and which AI assistants does CodeVigil work with?

MCP (Model Context Protocol) is an open standard that lets AI assistants communicate with developer tools. CodeVigil includes a built-in MCP server, so it works with GitHub Copilot Chat (via the @codevigil participant), Cursor, Claude Code, Windsurf, and any other MCP-compatible assistant. You can scan files, explain findings, suggest fixes, and look up CVEs from any connected assistant. See the MCP Integration doc for setup instructions.

What is triple-check scanning?

Triple-check scanning is CodeVigil's three-layer analysis pipeline. Every finding passes through three stages: (1) regex pattern matching to identify potential vulnerability signatures, (2) AST structural analysis to understand code context and data flow, and (3) GitHub Copilot LLM verification to reason about whether the finding is a genuine risk. This approach catches more real issues while significantly reducing false positives compared to single-pass tools.

How is CodeVigil different from ESLint security plugins?

ESLint security plugins are JavaScript/TypeScript-only and focus on a narrow set of patterns. CodeVigil covers 10 languages, includes a local CVE database for dependency scanning, integrates with Copilot Chat for natural-language security queries, and uses triple-check scanning (regex, AST, and LLM) for more accurate detection with fewer false positives. CodeVigil's LLM verification layer is specifically tuned for the patterns AI assistants produce.

How is CodeVigil different from Snyk or SonarQube?

Snyk and SonarQube are primarily cloud-based services that scan code in CI/CD pipelines. CodeVigil runs locally in your editor with zero configuration and gives real-time feedback as you type. CodeVigil is designed to complement these tools, not replace them. Catch issues early in the editor, and use CI/CD tools for comprehensive pipeline scanning. Additionally, CodeVigil's triple-check scanning (regex + AST + LLM) is specifically designed to catch the subtler vulnerabilities introduced by AI coding assistants.

Is CodeVigil meant to replace tools like Semgrep or CodeQL?

No. CodeVigil is built for individual developers and small teams who want a single VS Code extension that covers a lot of ground: 100+ vulnerability patterns across 10 languages, dependency CVE checking, secret detection, and Copilot Chat integration, all in one package, with no configuration required. If you are an enterprise team that needs custom rule authoring, org-wide policy enforcement, or deep inter-procedural analysis, tools like Semgrep or CodeQL are a better fit. CodeVigil is designed to catch the most common issues early, right in your editor, and complement whatever you run in CI/CD.

Will CodeVigil slow down my editor?

CodeVigil is designed to be lightweight. Scanning is asynchronous and runs in a background thread, so it does not block VS Code's UI. On most machines, individual file scans complete in under 100ms. If you experience performance issues on very large files, you can increase the codeVigil.scanDelay setting or disable codeVigil.scanOnType.

Can I ignore specific findings?

Yes, there are several ways to suppress findings:

  • Inline comments: Add // codevigil-ignore-next-line above a line to suppress findings for that line
  • File-level: Add // codevigil-ignore-file at the top of a file to skip scanning entirely
  • Settings: Use codeVigil.excludePatterns to exclude files by glob pattern
  • Baseline (Pro): Create a baseline file to suppress all existing findings

Does CodeVigil work with VS Code forks?

CodeVigil is tested and supported on:

  • Visual Studio Code (official)
  • VS Code Insiders
  • Cursor
  • Windsurf

It may work on other VS Code forks but is not officially tested on them.

How often are patterns updated?

Free users receive pattern updates with each extension release, typically monthly. Pro users receive priority pattern updates within 48 hours of critical vulnerability disclosures.

Troubleshooting

CodeVigil is not showing any diagnostics

  1. Check that CodeVigil is enabled: Open settings and verify codeVigil.enabled is true
  2. Check the language: Ensure the file's language is in the supported list. Check the language indicator in VS Code's status bar.
  3. Check minimum severity: If codeVigil.minimumSeverity is set to "critical", only Critical findings will be shown
  4. Check exclude patterns: Make sure the file is not matched by codeVigil.excludePatterns
  5. Reload VS Code: Sometimes a window reload resolves initialization issues. Press Ctrl+Shift+P and run Developer: Reload Window

CodeVigil shows too many false positives

If you are seeing false positives:

  1. Report them: Use the @codevigil report false positive command in Copilot Chat, or file a GitHub issue. We take false positives seriously and tune patterns regularly.
  2. Adjust severity: Increase codeVigil.minimumSeverity to filter out lower-confidence findings
  3. Use inline suppression: Add // codevigil-ignore-next-line for known false positives
  4. Create a baseline (Pro): Suppress existing findings and only see new ones

CVE database is not syncing

  1. Check internet connection: The sync requires an active internet connection
  2. Check firewall: Ensure https://cve.bitsplus.ai is not blocked
  3. Check proxy settings: If you are behind a corporate proxy, configure VS Code's proxy settings in http.proxy
  4. Manual sync: Run CodeVigil: Sync CVE Database from the command palette
  5. Reset database: If the database appears corrupted, run CodeVigil: Reset CVE Database

Copilot Chat integration is not working

  1. Check Copilot Chat: Ensure GitHub Copilot Chat is installed and active
  2. Check the @codevigil participant: Type @ in the Copilot Chat panel and you should see codevigil in the list
  3. Reload VS Code: Run Developer: Reload Window from the command palette
  4. Update extensions: Ensure both CodeVigil and GitHub Copilot Chat are up to date

High CPU or memory usage

  1. Increase scan delay: Set codeVigil.scanDelay to 1000 or higher
  2. Disable scan-on-type: Set codeVigil.scanOnType to false so scanning will only occur on save
  3. Exclude large directories: Add generated code directories to codeVigil.excludePatterns
  4. Disable CVE database: If dependency scanning is not needed, set codeVigil.cveDatabase.enabled to false

Extension crashes or errors

  1. Check the output log: Run CodeVigil: Show Output Log from the command palette
  2. Update CodeVigil: Ensure you have the latest version installed
  3. File a bug report: Include the output log contents when filing an issue on GitHub

Getting Help

  • Documentation: You are reading it
  • GitHub Issues: Report bugs and request features on our GitHub repository
  • Email Support: Contact us at hello@bitsplus.ai
  • Pro Priority Support: Pro users receive priority email support with a 24-hour response time