VS Code Extension
The AI-BOM VS Code extension lets you scan your codebase for AI/ML security risks directly from the editor. It provides real-time detection, inline risk annotations, and an interactive sidebar for browsing results.
Requirements
- VS Code 1.85.0 or higher
- Python 3.10 or higher
- ai-bom Python package
Installation
- Open VS Code
- Go to the Extensions panel (Ctrl+Shift+X / Cmd+Shift+X)
- Search for "AI-BOM"
- Click Install
The extension will check if ai-bom is installed and prompt you to install it if missing. Alternatively, install manually:
pip install ai-bom
# or
pipx install ai-bom
Commands
Open the Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
| Command | Description |
|---|---|
| AI-BOM: Scan Workspace | Scan the entire workspace for AI/ML components |
| AI-BOM: Scan Current File | Scan only the currently open file |
| AI-BOM: Show Results | Open the AI-BOM sidebar view |
| AI-BOM: Clear Results | Clear all scan results |
| AI-BOM: Install Scanner | Install or reinstall the ai-bom CLI tool |
You can also right-click a file in the Explorer or editor and select AI-BOM: Scan Current File.
Features
Sidebar view
The AI-BOM sidebar has two panels:
Scan Results - Browse detected components organized by severity. Click a component to jump to its location in the code. Expand components for detailed information.
Summary - View scan statistics: total components found, highest risk score, scan duration, target path, and timestamp.
Problems panel integration
Detected AI components appear in VS Code's Problems panel with:
- Severity indicators (error/warning/info/hint)
- Component name, type, and risk score
- Related information with risk factors and flags
- Click-to-navigate to the source location
Inline decorations
When enabled, the extension shows:
- Gutter icons indicating component severity
- Inline risk score annotations next to detected lines
- Hover tooltips with detailed component information
- Colored highlights on detected lines
Status bar
The status bar shows a summary of the last scan:
| Status | Meaning |
|---|---|
AI-BOM: Clean | No components detected |
AI-BOM: N found | Components detected, no critical/high risks |
AI-BOM: N high | High-severity components detected |
AI-BOM: N critical | Critical-severity components detected |
Click the status bar item to open the sidebar.
Scan on save
When enabled, the extension automatically scans files on save. This is useful for continuous monitoring during development but can be disabled for performance.
Configuration
Configure the extension via File > Preferences > Settings (search for "ai-bom"):
| Setting | Default | Description |
|---|---|---|
ai-bom.pythonPath | python3 | Path to Python interpreter |
ai-bom.scanOnSave | false | Automatically scan files on save |
ai-bom.severityThreshold | low | Minimum severity level to display (low, medium, high, critical) |
ai-bom.deepScan | false | Enable deep AST-based analysis (slower but more thorough) |
ai-bom.showInlineDecorations | true | Show inline risk score decorations |
ai-bom.autoInstall | false | Automatically install ai-bom if not found |
Example settings.json
{
"ai-bom.pythonPath": "/usr/bin/python3",
"ai-bom.scanOnSave": true,
"ai-bom.severityThreshold": "medium",
"ai-bom.deepScan": false,
"ai-bom.showInlineDecorations": true,
"ai-bom.autoInstall": false
}
Virtual environment
If you use a Python virtual environment, point ai-bom.pythonPath to the venv Python:
{
"ai-bom.pythonPath": "${workspaceFolder}/.venv/bin/python"
}
What it detects
The extension uses the same scanner engine as the CLI and detects:
- LLM providers (OpenAI, Anthropic, Google AI, Mistral, Cohere, Ollama, DeepSeek)
- Agent frameworks (LangChain, CrewAI, AutoGen, LlamaIndex, LangGraph)
- Model references (gpt-4o, claude-3-5-sonnet, gemini-1.5-pro, llama-3)
- Hardcoded API keys (sk-, sk-ant-, hf_*)
- AI containers in Dockerfiles
- Cloud AI services in IaC
- MCP server configurations
- n8n AI nodes in workflow JSON files
- Jupyter notebook AI imports
Supported languages
The extension scans files in: Python, JavaScript, TypeScript, YAML, JSON, Dockerfiles, TOML, and more.
Troubleshooting
"ai-bom is not installed"
Install the Python package:
pip install ai-bom
"Scan failed" or "Command not found"
- Check Python 3.10+ is installed:
python3 --version - Verify ai-bom is installed:
python3 -m pip show ai-bom - Check the Output panel (View > Output > AI-BOM Scanner) for error details
- Set an absolute path for
ai-bom.pythonPath
Slow scans
- Disable
ai-bom.deepScanfor faster scans - Add an
.ai-bomignorefile to exclude large directories - Set
ai-bom.scanOnSave: falseto avoid scanning on every save
Privacy
The extension runs entirely locally. No data is sent to external servers. All scanning is performed by the open-source AI-BOM CLI. No telemetry or analytics are collected.