Soteria is a Visual Studio Code extension that automatically analyzes GitHub Actions workflow files (.yaml / .yml) for misconfigurations and potential issues.
It integrates the soteria tool to provide real-time diagnostics and visualization, helping developers maintain secure and robust CI/CD workflows.
- Automatic workflow scanning: Misconfigurations in
.github/workflowsfiles are detected automatically and displayed as warnings via the VS Code diagnostics system. The files are checked on save. - Manual file checking: Run analysis on any open
.yamlor.ymlfile using the button in the Top Bar or clicking the "Untracked" button in the Status Bar. - Detector toggles: Enable or disable individual detectors or detector categories via the "Toggle Detectors" sidebar panel.
- Statistics view:
- Misconfigurations by Detector — Understand which checks are flagging most issues.
- Misconfigurations by Severity — Quickly grasp criticality of current problems.
- New Misconfigurations Over Time — Track progress and catch regressions.
- Remote stats sync (optional): Collected stats can be sent to a remote server for analysis. This feature is disabled by default.
- Fully configurable: Tweak behavior via user/workspace settings.
This extension bundles platform-specific Soteria binaries for:
- Windows (x64 and arm64)
- Linux (x64 and arm64)
- macOS (x64 and arm64)
No manual installation of soteria is needed — the extension selects the correct binary automatically.
You can customize the extension through VSCode's Settings UI or settings.json.
| Setting | Description | Default |
|---|---|---|
soteria.ignoredPaths |
Paths to ignore during analysis | ["node_modules"] |
soteria.hashFilenamesForStats |
Hash filenames in stats for privacy and size efficiency | true |
soteria.collectStats |
Whether to collect local statistics | true |
soteria.maxStatsFileSizeKb |
Maximum size (KB) of the stats file (0 = unlimited) | 1024 |
soteria.sendStats |
Enable remote stats submission | false |
The extension adds a custom soteria activity bar view with:
- Toggle Detectors: Manage active analysis rules
- Statistics: Interactive charts showing live and historical data
Install from the VS Code Marketplace.
Eduard Bilous — Email
Edoardo Riggio — Email
Cesare Pautasso — Email
Enjoy using soteria and stay secure! 🚀