Installation

Code Scrubber ships as a .vsix file — no marketplace account required.

Step 1 — Download

Grab the latest release from the GitHub releases page. The file will be named code-scrubber-1.0.0.vsix.

Step 2 — Install in VSCode

Open the command palette (Ctrl+Shift+P or Cmd+Shift+P) and run:

Extensions: Install from VSIX...

Navigate to the downloaded file and confirm. VSCode will prompt you to reload.

Step 3 — Done

The extension activates on every workspace. Detected credentials appear immediately in the Problems tab.

Note: The extension runs entirely locally. No data leaves your machine.

Quick start

Open any project and check the Problems tab at the bottom of VSCode. Detected credentials show up with filename and line number.

Fix a credential

Click the warning to jump to the line. Press Ctrl+. to see quick fixes:

  • Move to .env file
  • Upload to AWS Secrets Manager
  • Dismiss (mark as intentional)
Tip: Run Code Scrubber: Scan Git History to check past commits too.

Scanning

Two detection methods run in combination on every save.

Regex matching

Known credential formats — AWS keys, Stripe keys, GitHub tokens — matched against curated patterns.

Shannon entropy

Measures character randomness. Strings above the threshold get flagged as likely credentials.

# entropy threshold (default: 4.5 bits/char) "entropy.threshold": 4.5

Git history scan

Run Code Scrubber: Scan Git History from the command palette to check all past commits in your local repo.

Refactoring

The refactor action moves a detected credential into a .env file and rewrites the reference.

Before

const client = stripe('sk_live_4xKj9mNpQr7vWzXy');

After

const client = stripe(process.env.STRIPE_SECRET_KEY);

And in your .env:

STRIPE_SECRET_KEY=sk_live_4xKj9mNpQr7vWzXy
Remember: Add .env to your .gitignore. Code Scrubber will warn you if it's missing.

AWS Secrets Manager

If you have AWS credentials configured locally, Code Scrubber can push secrets directly to AWS and rewrite your code to fetch them at runtime.

Requirements

  • AWS CLI installed and configured (aws configure)
  • IAM permissions: secretsmanager:CreateSecret, secretsmanager:PutSecretValue
Note: This feature is optional. You don't need an AWS account to use Code Scrubber.

Configuration

All settings live in VSCode settings.json under the codeScrubber namespace.

{ "codeScrubber.entropy.threshold": 4.5, "codeScrubber.scanOnSave": true, "codeScrubber.ignorePaths": ["**/test/**", "**/*.md"], "codeScrubber.gitHistory.enabled": false }

Options

  • entropy.threshold — float, 3.0–6.0. Lower = more sensitive.
  • scanOnSave — re-scan the file on every save.
  • ignorePaths — glob patterns to skip.
  • gitHistory.enabled — auto-scan git history on workspace open.

FAQ

Does it send my code anywhere?

No. Everything runs locally in the VSCode extension process. No telemetry, no cloud scanning.

Why is it flagging something that isn't a key?

Entropy detection has false positives. Long random-looking strings (hashes, UUIDs, base64 data) can trigger it. Dismiss individual warnings or raise the entropy threshold in settings.

Does it work with languages other than JavaScript?

Yes — it scans plain text and works with any language. The refactor-to-.env action currently generates JavaScript syntax; Python support is on the roadmap.

Can I use it without Git?

Yes. The workspace scanner works without a git repo. The git history feature simply won't be available.