The PT Application Inspector plugin finds vulnerabilities and undocumented features in application source code. In addition to code analysis, built-in modules detect errors in configuration files and vulnerabilities in third-party components and libraries used in application development. The plugin supports Go, Ruby, C#, PHP, Python, Java, JavaScript, and TypeScript languages.
You can enable or disable the plugin in the folder of an open project. If it is not the first time you are opening the project, the plugin is enabled automatically (scan and action history is saved). You can also set up the plugin to be automatically enabled when a new project is opened.
When the plugin is enabled, the .ai folder is created in the project. This folder contains a database, log files, and a configuration file.
For the plugin to operate correctly, the PT Application Inspector code analyzer is required. You can install it automatically by clicking Download Analyzer in the pop-up notification in the Visual Studio Code interface or manually by downloading it from the link in the instructions below.
To manually install the code analyzer:
Download the archive with the analyzer using one of the links:
In macOS, run the installation file and follow the instructions. In Windows and Linux, unpack the archive to one of the following locations:
In Windows: %LOCALAPPDATA%\Application Inspector Analyzer
In Linux: ~/application-inspector-analyzer
You can start a project scan in the following ways:
PT Application Inspector: Start Scan
PT Application Inspector: Start Full Scan
Note. Before scanning, all changes to the project are automatically saved.
You can monitor the scan progress in the OUTPUT tab. The first scan usually takes longer due to the initial load on the database of vulnerable components.
General scan settings are configured in the .aiproj.json
configuration file. You can create a configuration file and configure scan settings in it by running the command PT Application Inspector: Create Project Settings File
.
You can stop a project scan by running the command PT Application Inspector: Stop Scan
or by clicking [PT AI] Stop Scan in the status bar.
You can find the list of all detected vulnerabilities in the PROBLEMS tab. If you click a vulnerability in the list, the line with its exit point gets highlighted in the code editor.
The [PT AI] DATA FLOW section contains a data-flow diagram that shows how each process converts its input data to output data and how processes interact.
The data-flow diagram consists of the following sections:
You can go to the corresponding place in the code editor from any section of the data-flow diagram.
The [PT AI] EXPLOIT section contains an automatically generated HTTP request (exploit) that you can edit and use to check the vulnerability in a deployed web application.
Note. To exploit a vulnerability, specify the address of the host where your web application is deployed in the .aiproj.json
file. The default value is "localhost."
Note. To send an HTTP request, a third-party extension is required. It is recommended that you use the REST client.
Some vulnerabilities have additional exploitation conditions. They are displayed under [PT AI] ADDITIONAL CONDITIONS.
The contents of the [PT AI] sections depend on the code line selected in the editor.
When you scroll through the sections of the diagram, the vulnerability information is automatically pinned until you move on to another vulnerability. If you want to view information about a certain vulnerability while working on the code, you can pin this vulnerability manually.
Several vulnerabilities can have the same exit point. If these vulnerabilities belong to the same type, they are grouped together and displayed as one problem with different exploitation options. In [PT AI] sections, use the left and right arrows to view detailed information about such vulnerabilities.
Note. If you confirm one vulnerability from the group, the whole problem will be confirmed automatically. To discard an entire problem, you must discard all the vulnerabilities in the group.
The PT Application Inspector plugin contains a set of tools for managing detected vulnerabilities. With these tools, you can do the following:
PT Application Inspector: Show Vulnerabilities
.You can compare results of two scans within a project. To do this, under [PT AI] SCAN HISTORY, select the scans you need and then select Compare Scan Results in the context menu.
Note. The [PT AI] SCAN HISTORY section is displayed only in the developer mode.
The PT Application Inspector plugin can be integrated with PT AI Enterprise Edition. The integration allows several team members to simultaneously work with vulnerabilities and their statuses in the IDE and PT AI Enterprise Edition web interface, thereby increasing code security.
To configure the integration:
Enter the PT AI Enterprise Server URL and sign in to PT AI Enterprise Edition via your SSO system.
Synchronize a local project in Visual Studio Code and a project in PT AI Enterprise Server in one of the following ways:
Upload a local project to PT AI Enterprise Server
Connect a local project to an existing project in PT AI Enterprise Server
Download a project from PT AI Enterprise Server to a local file system
The statuses of detected vulnerabilities are synchronized automatically, and all the team members can assess the current threat level.
For more information about the integration, see the PT AI Enterprise Edition User Guide.
To start working with the plugin, you can enter the following commands into the command palette:
PT Application Inspector: Start Scan
. Start a project scan.PT Application Inspector: Start Full Scan
. Start a full scan of a project.PT Application Inspector: Stop Scan
. Stop the scan.PT Application Inspector: Show Vulnerabilities
. You can also filter vulnerabilities by severity, confirmation, and suppression status. Only the vulnerabilities that match the selected filters will be displayed.PT Application Inspector: Enable
. Enable the plugin for the current project.PT Application Inspector: Disable
. Disable the plugin for the current project.PT Application Inspector: Download Analyzer
. Download the latest version of the code analyzer.PT Application Inspector: Restart
. Restart the plugin.PT Application Inspector: Create .aiignore File
. Create an exclusion configuration file. In the .aiignore
file, you can specify folders, files, and file formats to be excluded from scanning using the .gitignore
file syntax. For more information, see git-scm.com/docs/gitignore.PT Application Inspector: Create Project Settings File
. Create the configuration file aiproj.json
. In the file, you can change default scan settings. You can also use the SkipGitIgnoreFiles setting to exclude from scanning files and folders from the .gitignore
file. By default, this setting is enabled.PT Application Inspector: Connect to PT AI Server
. Connect to PT AI Enterprise Server (command for integration with PT AI Enterprise Edition).PT Application Inspector: Reconnect to PT AI Server (Connected)
. Reconnect to PT AI Enterprise Server (command for integration).PT Application Inspector: Disconnect from PT AI Server
. Disconnect from PT AI Enterprise Server (command for integration).PT Application Inspector: PT AI Server Authentication
. Enter the authentication token (command for integration).PT Application Inspector: Manage Projects
. Display the list of projects from PT AI Enterprise Server (command for integration). With this command, you can select a project in PT AI Enterprise Server and connect your local project to it in Visual Studio Code.PT Application Inspector: Create PT AI Server Project
. Upload a local project from IDE to PT AI Enterprise Server (command for integration).You can configure the plugin settings by going to the action panel and clicking Extensions → PT Application Inspector → the gear icon → Extension Settings.
The plugin configuration page contains the following settings:
For the correct operation of the PT Application Inspector plugin, the following technical requirements must be met:
Supported 64-bit OS:
Supported macOS:
By default, the PT Application Inspector plugin collects anonymous usage data and sends it to our experts so that they can better understand how to improve the product. We do not share the collected information with third parties. We do not collect source code or IP addresses. To stop the data collection, disable the Allow telemetry collection setting.