RepoGate VS Code Extension
RepoGate is a powerful VS Code extension that acts as a security gatekeeper for your project's dependencies. It monitors dependency changes in real-time and validates them against your organization's security policies through the RepoGate platform.
Enterprise Dependency Governance
RepoGate embeds automated governance directly into your development lifecycle, preventing costly audit failures and accelerating business velocity.
Installation
From VS Code Marketplace
The easiest way to install RepoGate is directly from the VS Code Marketplace:
- Open VS Code
- Go to Extensions (
Ctrl+Shift+XorCmd+Shift+X) - Search for "RepoGate"
- Click Install
Or install directly from the VS Code Marketplace.
From VSIX File
If you have a VSIX file for manual installation:
- Download the latest
.vsixfile - Open VS Code
- Go to Extensions (
Ctrl+Shift+XorCmd+Shift+X) - Click the
...menu →Install from VSIX... - Select the downloaded file
- Reload VS Code
Quick Start
1. Configure API Token
After installation, you'll be prompted to configure your API token. This token connects your VS Code extension to your organization's RepoGate platform:
- Click "Open Settings" when prompted
- Or manually navigate:
File→Preferences→Settings→ Search "RepoGate" - Set your API Token (stored securely in VS Code SecretStorage)
- Set your API URL (default:
https://api.repogate.io/api/v1)
Secure Token Storage
Your API token is stored using VS Code's SecretStorage API, which provides encrypted, secure storage. Tokens are never stored in plain text.
2. Test Connection
Verify your setup is working correctly:
- Open Command Palette (
Ctrl+Shift+PorCmd+Shift+P) - Run:
RepoGate: Test Connection - Or click [Test Connection] link in Settings
3. Initial Scan
On first activation, RepoGate automatically performs an initial scan of your workspace. This process:
- Scans all existing dependencies in your workspace
- Sends them to the
/queueendpoint for baseline review - Establishes a baseline inventory of current dependencies
- Starts monitoring for any future changes
API Setup
To connect your VS Code extension to the RepoGate platform, you need to configure two essential settings:
API Token
Your API token authenticates your requests to the RepoGate platform. To obtain and configure your token:
- Log in to your RepoGate dashboard at app.repogate.io
- Navigate to Settings → API Tokens
- Generate a new token or copy an existing one
- In VS Code, open Command Palette and run
RepoGate: Set API Token - Paste your token when prompted
API URL
The API URL points to your RepoGate instance. The default value is https://api.repogate.io/api/v1 for cloud-hosted instances. If you're using a self-hosted or enterprise instance, update this URL to match your deployment.
Settings
Configure RepoGate behavior through VS Code Settings (Ctrl+, or Cmd+,):
| Setting | Type | Default | Description |
|---|---|---|---|
repogate.enabled |
boolean | true |
Enable or disable dependency monitoring |
repogate.apiUrl |
string | https://api.repogate.io/api/v1 |
RepoGate API base URL |
repogate.apiToken |
string | "" |
API authentication token (migrated to SecretStorage) |
repogate.pollIntervalMs |
number | 10000 |
Status polling interval in milliseconds (minimum 3000ms) |
repogate.includeDevDependencies |
boolean | true |
Include devDependencies in scans and validation |
Commands
Access these commands via Command Palette (Ctrl+Shift+P or Cmd+Shift+P):
| Command | Description |
|---|---|
RepoGate: Test Connection |
Test API connectivity and authentication |
RepoGate: Scan Now |
Manually scan all packages and send to /queue |
RepoGate: Show Output |
Open RepoGate log output channel |
RepoGate: Clear Diagnostics |
Clear all diagnostics from Problems panel |
RepoGate: Set API Token |
Configure or update your API token |
RepoGate: Clear API Token |
Remove stored API token |
How It Works
Initialization Flow
When you first install RepoGate or open a workspace with the extension enabled, the following initialization sequence occurs:
- First Install: Extension scans all existing packages and sends them to the
/queueendpoint - Baseline Established: The RepoGate platform receives an inventory of current dependencies
- Watchers Start: File watchers activate only after a successful scan
- Continuous Monitoring: The extension watches for any dependency changes
When You Add a New Dependency
When you add a new dependency to your project, RepoGate follows this workflow:
- Detection: Extension detects changes in
package.json,pom.xml, orbuild.gradle - Request: Sends
POST /dependencies/requestwith package information - Polling: Checks status via
POST /dependencies/checkevery 10 seconds - Notification: Shows approval or denial status to the developer
- Diagnostics: Adds an entry to the VS Code Problems panel
Non-Blocking Workflow
RepoGate alerts you of denied packages without interrupting your development workflow. You can continue working while awaiting approval decisions.
When You Remove a Denied Package
If you remove a package that was previously denied:
- Detection: Extension detects package removal
- Notification: Sends
POST /dependencies/updatewith removal information - Confirmation: Shows "Platform has been notified" message
- Cleanup: Removes diagnostic from Problems panel
Status Values
RepoGate uses several status values to communicate the approval state of dependencies. Understanding these statuses helps you know what action to take:
| Status | Icon | Meaning | Action Required |
|---|---|---|---|
| ✓ approved | ✓ | Package is safe to use | None required |
| ❌ denied | ❌ | Package is blocked by security policy | Remove or revert the package |
| ⏳ pending | ⏳ | Awaiting security review | Wait for approval decision |
| 🔍 scanning | 🔍 | Being scanned for vulnerabilities | Wait for scan results |
| ❓ not_found | ❓ | Package not in database | Request will be submitted automatically |
User Interface
Status Bar
The status bar indicator appears in the bottom-right corner of VS Code and shows the current connection status:
- $(check) RepoGate - Connected and monitoring
- $(sync~spin) RepoGate - Checking dependencies
- $(error) RepoGate - Connection error
- $(circle-slash) RepoGate - Disabled (no token configured)
When there are pending or denied packages, counts are shown: RepoGate (2 pending, 1 denied)
Click the status bar item to open the Output channel for detailed logs.
Problems Panel
Denied and pending packages appear in the VS Code Problems panel with different severity levels:
- Error (red): Denied packages that must be removed
- Warning (yellow): Pending or not found packages
- Info (blue): Packages currently being scanned
Notifications
RepoGate shows notifications for important events:
- Approved: Silent (logged only, no interruption)
- Denied: Error notification with "View Details" button
- Pending: Info notification
- Scanning: Info notification
- Removed: Confirmation notification (for denied packages)
Supported Package Managers
RepoGate currently monitors the following package ecosystems and their associated files:
| Ecosystem | Files Monitored | Status |
|---|---|---|
| npm | package.json |
✅ Fully Supported |
| Maven | pom.xml |
🚧 Planned |
| Gradle | build.gradle, build.gradle.kts |
🚧 Planned |
Current Limitations
Maven and Gradle watchers are planned but not yet implemented in the current version. Only npm (package.json) is fully supported at this time.
Security & Privacy
Token Storage
RepoGate uses VS Code's SecretStorage API to store your API token securely. This provides:
- Encryption: Tokens are encrypted at rest
- Automatic Migration: Tokens previously stored in plain settings are automatically migrated to SecretStorage
- Secure Access: Only the RepoGate extension can access stored tokens
Logging & Data Sanitization
All sensitive data is automatically redacted from logs, including:
- API tokens
- Passwords
- Authentication headers
Best Practices
- Always use HTTPS API URLs in production environments
- Rotate API tokens regularly
- Limit token permissions to only what's necessary
- Never commit API tokens to version control
Troubleshooting
"No API token configured"
Solution:
- Open Settings → Search "RepoGate"
- Run command
RepoGate: Set API Token - Enter your API token
- Run
RepoGate: Test Connectionto verify
"Connection failed"
Possible Causes:
- RepoGate service not running
- Wrong API URL or port
- Invalid API token
- Network or firewall issues
Solution:
- Verify the RepoGate service is running
- Check the API URL in settings
- Run
RepoGate: Test Connectioncommand - Check the Output channel for detailed error messages
"Bootstrap failed"
Cause: Initial package scan failed
Solution:
- Check API connection status
- Run
RepoGate: Test Connection - Run
RepoGate: Scan Nowto retry the scan
Packages not being monitored
Solution:
- Check that
repogate.enabledis set totrue - Verify API token is configured
- Check Output channel for errors
- Ensure the file is not in
node_modulesor other excluded directories
Requirements
- VS Code: Version 1.85.0 or higher
- RepoGate API: Running instance with valid token
- Network: Access to RepoGate API server
Known Limitations
- Manual Installation: Developers can still install packages via command line. The extension monitors changes but doesn't block installation.
- Transitive Dependencies: Only direct dependencies are monitored. Transitive dependencies are not currently tracked.
- Offline Mode: Requires network connection to the RepoGate API.
- NPM Only: Maven and Gradle watchers are planned but not yet implemented.
Support & Resources
Need help? We're here to assist you:
- Documentation: https://repogate.io/docs
- Email Support: support@repogate.io
- GitHub Repository: SectorFlow/repogate-extension-vscode
- Report Issues: GitHub Issues
Made with ❤️ for secure software development
RepoGate is committed to helping security teams and developers work together seamlessly to build secure, compliant software.
License
MIT License - See LICENSE file for details.