snyk · kyle-nahrgang · Dec 16, 2024 · Dec 16, 2024 · Jun 16, 2025
@@ -19,3 +19,6 @@ indent_size = 2
 [*.py]
 indent_style = space
 indent_size = 4
+
+[*.md]
+trim_trailing_whitespace = false
@@ -4,6 +4,7 @@ _Provide description of this PR and changes, if linked Jira ticket doesn't cover
 
 ### Checklist
 
+- [ ] Read and understood the [Code of Conduct](https://github.com/snyk/vscode-extension/blob/main/CODE_OF_CONDUCT.md) and [Contributing Guidelines](https://github.com/snyk/vscode-extension/blob/main/CONTRIBUTING.md).
 - [ ] Tests added and all succeed
 - [ ] Linted
 - [ ] CHANGELOG.md updated

@@ -17,17 +17,10 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Setup Node
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: '18'
-
-      - name: Cache NPM files
-        uses: actions/cache@v2
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
+          node-version-file: '.nvmrc'
+          cache: 'npm'
 
       - name: Install dependencies
         run: npm ci

@@ -0,0 +1,28 @@
+name: Static Resource Checking
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+
+jobs:
+  static-resource-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch Sources
+        uses: actions/checkout@v4
+
+      - name: Check Static Resources
+        run: |
+          declare -A resources
+          # Add each resource as a key, value pair, mapping the local resource to the reference file (which should be stored in the language server repository). For example:
+          # resources["<path_to_local_file>"]="<url_of_reference_file>"
+          resources["media/views/scanSummary/ScanSummaryInit.html"]="https://raw.githubusercontent.com/snyk/snyk-ls/refs/heads/main/shared_ide_resources/ui/html/ScanSummaryInit.html"
+          for key in ${!resources[@]}; do
+            candidate=$(sha512sum $key | awk {'print $1'})
+            candidate=${candidate:="null"}
+            reference=$(curl -s ${resources[$key]} | sha512sum | awk {'print $1'})
+            echo "Candidate file $key has sha512sum $candidate"
+            echo "Reference file ${resources[$key]} has sha512sum $reference"
+            [[ $candidate == $reference ]]
+          done
+
@@ -0,0 +1,42 @@
+** general **
+always be concise, direct and don't try to appease me.
+DOUBLE CHECK THAT YOUR CHANGES ARE REALLY NEEDED. ALWAYS STICK TO THE GIVEN GOAL, NOT MORE.
+I repeat: don't optimize, don't refactor if not needed.
+Adhere to the rules, fix linting & test issues that are newly introduced.
+don't change old entries in the changelog. it's a history of changes. the current version is the last semantic version tag on origin/main in git
+
+** how to implement **
+always write and update test cases. iterate until they pass.
+npm build scripts are configured for both unit and integration tests in package.json (test:unit and test:integration).
+use existing mocks, don't write new ones.
+if you use mocks, use mockk to generate them.
+always run the tests after editing.
+always use the linter, use npm lint:fix. only fix linting issues in changed files.
+don't change code that does not need to be changed. only do the minimum changes.
+add a summary of the changes to the changelog for the next version. usually it's a minor semantic version bump.
+this is not a library. if files are not used or needed anymore, delete them instead of deprecating them.
+if a tool call fails, analyze why it failed and correct your approach. don't prompt the user for help.
+if you don't know something, read the code instead of assuming it.
+commenting out code to fix errors is not a solution. instead, fix the error.
+
+** security **
+determine the absolute path of the project directory. you can do that e.g. by executing pwd on the shell within the directory.
+always use snyk for sca and code scanning. scan with both tools. you need to pass the absolute path of the directory we are scanning.
+run snyk code tests after each edit. pass the absolute path of the project directory as a parameter
+run snyk sca tests after updating package.json and pass the absolute path of the project directory as a parameter.
+run snyk sca and code test before committing. if not test data, fix issues before committing.
+
+** fixing issues **
+fix security issues if they are fixable. take the snyk scan results and the test results as input.
+
+** committing **
+when asked to commit, always use conventional commit messages (Conventional Commit Style (Subject + Body)). be descriptive in the body. if you find a JIRA issue (IDE-XXXX) in the branch name, use it as a postfix to the subject line in the format [IDE-XXXX]
+consider all commits in the current branch when committing, to have the context of the current changes.
+when asked to push, always use 'git push --set-upstream origin $(git_current_branch)' with git_current_branch being the current branch we are on
+never force push
+never push without asking
+never commit the hashicorp gomod
+regularly fetch main branch and offer to merge it into git_current_branch
+don't touch the copyright header
+after pushing offer to create a PR on github. analyze the changes by comparing the current branch ($(git_current_branch)) with origin/main, and craft a PR description and title.
+use the github pr template in this repository
@@ -1,5 +1,23 @@
 # Snyk Security Changelog
 
+## [2.23.0]
+- Removed Snyk Code Quality feature. All related settings, configurations, and UI elements have been removed.
+- Removed scanning for vulnerabilities in JavaScript libraries referenced via CDN in HTML files.
+
+## [2.22.0]
+- Support early access of Ignores Approval Workflow
+- Fix early access Issue View Options not hiding issues in editor
+
+## [2.21.1]
+- Gemini Tool fixes
+- Ensure default CAs are used when using proxy
+- Add scan source to workspace command
+
+## [2.21.0]
+- add scan summary
+- add ability to enter PATs as Tokens
+- add ability to define a reference folder for net-new scanning
+
 ## [2.20.0]
 - reduce hover verbosity to only title and description
 - If $/snyk.hasAuthenticated transmits an API URL, this is saved in the settings.
@@ -9,6 +27,7 @@
 - Change default CLI download path to be in extension directory.
 - Delete sentry reporting.
 - send analytics event "plugin installed" the first time the extension is started
+- Allow `${workspaceFolder}` in `trustedFolders` and `folderConfigs`
 
 ## [2.19.2]
 - Update download endpoint to downloads.snyk.io.

@@ -60,7 +60,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-`daniel.appelquist <at> snyk.io`.
+`oss-conduct-reports@snyk.io`.
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the

@@ -1,3 +1,43 @@
+# Contributing to the Snyk IDE Extensions
+
+We welcome contributions, but please read first! To ensure a smooth process and that your valuable work aligns with our roadmap, please keep the following in mind to help manage expectations:
+
+## 1. Planning your changes
+
+Before undertaking any changes or new features, please discuss your plans with us. This helps align on scope, design, technical approach, and priority.  
+Even bug fixes can have unforeseen impacts or alternative solutions better suited for the codebase, so please ask first, we will be happy to discuss.  
+Please raise a request with [support](https://support.snyk.io). (Snyk employees, use `#ask-ide`)
+
+## 2. Where changes should be made
+
+Consider whether your proposed change should be implemented within the IDE extension(s) or in the shared Language Server and related stack.
+- [Snyk Language Server](https://github.com/snyk/snyk-ls)
+- [Go Application Framework](https://github.com/snyk/go-application-framework)
+- [Code Client Go](https://github.com/snyk/code-client-go)
+
+## 3. Cross-IDE consistency
+
+If your change is applicable to other Snyk IDE plugins as well, we may expect you to submit similar PRs for the other relevant IDE repositories after your initial PR has been reviewed and approved, as they will _usually_ need to be merged all at once or not at all.
+- [Snyk IntelliJ plugin](https://github.com/snyk/snyk-intellij-plugin)
+- [Snyk Eclipse plugin](https://github.com/snyk/snyk-eclipse-plugin)
+- [Snyk Visual Studio extension](https://github.com/snyk/snyk-visual-studio-plugin)
+
+## 4. Manual testing
+
+All changes must be thoroughly manually tested by you.  
+For visual changes the PR template asks for screenshots, so this is a good opportunity to snap them.
+
+## 5. Documentation changes
+
+Any user-facing changes will require [documentation](https://docs.snyk.io/) changes, which you will need to prepare.
+If you do not have access to our content management system (you are not a Snyk employee), please add the documentation changes required (including new wording and screenshots) to the PR description.
+
+We can instruct you on what to add to the CHANGELOG.md, so please ask.
+
+---
+
+# Making Changes
+
 ## Run extension and debug
 
 Clone the repository, then run `npm install && npm run build` in the directory.

@@ -2,7 +2,7 @@ This Contributor Licence Agreement (“Agreement”) sets out the terms under wh
 
 Who the “Contributor” is depends on whether the person submitting the contribution is a private individual acting on their own behalf, or is acting on behalf of someone else (for example, their employer). The “Contributor” in this Agreement is therefore either: (i) if the individual who Submits a Contribution does so on behalf of their employer or another Legal Entity, any Legal Entity on behalf of whom a Contribution has been received by Snyk; or in all other cases (ii) the individual who Submits a Contribution to Snyk. "Legal Entity" means an entity which is not a natural person (for example, a limited company or corporation).
 
-** 1. Interpretation**
+**1. Interpretation**
 
 The following definitions and rules of interpretation apply in this Agreement.
 

@@ -6,6 +6,10 @@ Integrating security checks early in your development lifecycle helps you pass s
 
 The Snyk Visual Studio Code extension allows you to analyze your code, open-source dependencies, and Infrastructure as Code (IaC) configurations. With actionable insights directly in your IDE, you can address issues as they arise.
 
+
+The extension also works for other VSCode-based IDEs such as Windsurf, Cursor, and Eclipse Theia.
+
+
 **Key features:**
 
 * **In-line issue highlighting:** Security issues are flagged directly within your code, categorized by type and severity for quick identification and resolution.
@@ -17,6 +21,12 @@ The Snyk Visual Studio Code extension allows you to analyze your code, open-sour
 
 ## How to install and set up the extension
 
+
+For information about the versions of Visual Studio Code supported by the Visual Studio Code extension, see [Snyk IDE plugins and extensions](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions).
+
+Snyk recommends always using the latest version of the Visual Studio Code extension.
+
+
 You can use the Snyk Visual Studio Code extension in the following environments:
 
 * Linux: AMD64 and ARM64
@@ -25,24 +35,25 @@ You can use the Snyk Visual Studio Code extension in the following environments:
 
 Snyk Visual Studio Code extension does not support remote and containerized environments:
 
-* [Cloud VS Code IDE](https://code.visualstudio.com/docs/editor/vscode-web)
+* [Visual Studio Code for the Web](https://code.visualstudio.com/docs/editor/vscode-web)
 * [VS Code Remote Development](https://code.visualstudio.com/docs/remote/remote-overview)
-* [Inside a Container](https://code.visualstudio.com/docs/devcontainers/containers)
+* [Developing inside a Container](https://code.visualstudio.com/docs/devcontainers/containers)
 
-Install the plugin at any time free of charge from the  [Visual Studio Code marketplace](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) and use it with any Snyk account, including a Free account. For more information, see the[VS Code extension installation guide](https://code.visualstudio.com/docs/editor/extension-marketplace#\_install-an-extension).
+Install the plugin at any time free of charge from the [Visual Studio Code marketplace](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) and use it with any Snyk account, including a Free account. For more information, see the [VS Code extension installation guide](https://code.visualstudio.com/docs/editor/extension-marketplace#_install-an-extension).
 
 When the extension is installed, it automatically downloads the [Snyk CLI,](https://docs.snyk.io/snyk-cli) which includes the [Language Server](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/snyk-language-server).
 
 Continue by following the instructions in the other Visual Studio Code extension docs:
 
-* [Visual Studio Code extension configuration](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/visual-studio-code-extension-authentication)
-* [Visual Studio Code extension authentication](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/visual-studio-code-extension-authentication)
+* [Visual Studio Code extension configuration, environment variables, and proxy](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/visual-studio-code-extension-configuration-environment-variables-and-proxy)
+* [Authentication for Visual Studio Code extension](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/visual-studio-code-extension-authentication)
 * [Visual Studio Code Workspace trust](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/workspace-trust)
+* [Create a .dcignore file](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/create-a-.dcignore-file)
 * [Run an analysis with Visual Studio Code extension](https://docs.snyk.io/integrate-with-snyk/use-snyk-in-your-ide/visual-studio-code-extension/run-an-analysis-with-visual-studio-code-extension)
 * [View analysis results from Visual Studio Code extension](https://docs.snyk.io/integrate-with-snyk/use-snyk-in-your-ide/visual-studio-code-extension/view-analysis-results-from-visual-studio-code-extension)
 
 ## Support
 
 For troubleshooting and known issues, see [Troubleshooting for Visual Studio Code extension](https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/visual-studio-code-extension/troubleshooting-for-visual-studio-code-extension).
 
-If you need help, submit a request to [Snyk Support](https://support.snyk.io/hc/en-us/requests/new).
+If you need help, submit a request to [Snyk Support](https://support.snyk.io).
@@ -0,0 +1,52 @@
+## Release version steps
+
+**Protocol Version Verification**
+
+- Ensure the Snyk Language Server Protocol version is correct in the plugin. 
+  - `PROTOCOL_VERSION`  in  `src/snyk/common/constants/languageServer.ts`  
+
+
+**Update Changelog**
+
+- In the plugin/extension repo, make sure the the Changelog is updated with the correct version to be released and the correct changes in the release.
+  - Make sure Early Access are specified correctly for new feature.
+
+
+**Initiate Release**
+
+- If you want to do a hotfix with a subset of commits from main, create a hotfix branch off the previous release tag.
+  - For the hotfix release, cherry pick the commits you want to go into the hotfix release.
+
+- Trigger the release workflow in GitHub Actions.
+  - If this is a hotfix not off main, select the hotfix branch.
+
+
+**Release Notes**
+
+- Edit or generate release notes on GitHub.
+  - Its okay to include all items from any intermediate hotfix releases in the release notes.
+
+
+**Marketplace Availability**
+
+- Check that the new release appears on all relevant Marketplaces.
+
+
+**Installation and Version Verification**
+
+- Install the plugin or extension in the target IDE.    
+- Confirm that the installed version matches the intended release.
+
+
+**CLI Configuration and Verification**
+
+- Ensure the Snyk CLI release channel is set to  `stable`  and automatic update is enabled. 
+
+- Execute the CLI binary in the terminal and verify that the version matches the intended release.
+  - The correct version can be found in the  `#hammerhead-releases`  channel in Slack or in the github cli repo.
+     https://github.com/snyk/cli/releases
+
+
+**Manual End-to-End Test**
+
+- Manually run a scan using the latest version of the plugin to confirm end-to-end functionality.