For years, the industry mantra has been simple: shift security left. Catch issues earlier in CI/CD. Add more scanners. Add more gates.
But here’s the reality most teams run into: by the time developers see a policy violation, they’re already outside their flow. They’re switching contexts—reading logs, parsing CI failures, or digging through dashboards. And even worse, fixing the issue often requires jumping between tools, docs, and policy definitions.
Meanwhile, infrastructure itself has changed. Today’s workflows span:
- Kubernetes manifests
- Dockerfiles
- GitHub Actions pipelines
- AI prompt files
- Skill definitions for agent systems
Policy enforcement hasn’t kept up. So instead of shifting left, the real question becomes: What if policy enforcement lived exactly where developers already work?
The Idea: Policy-as-Code, Directly in the Editor
That question led to building DevGuard—an IDE-native security and governance extension powered by the Nirmata CLI (nctl).
Instead of relying on external services or CI pipelines, DevGuard runs entirely inside the editor: no backend daemon, no long-running service, and no context switching. It brings policy scanning, AI remediation, and governance workflows directly into VS Code, Cursor, and Amazon Kiro. At its core, DevGuard follows a simple model: Detect → Explain → Fix → Govern. All without leaving the IDE.
Most security tooling today falls into two categories that consistently introduce friction:
- Pipeline-Based Scanners: These run in CI/CD after code is written, provide delayed feedback, and require manual debugging.
- Standalone CLI Tools: These are powerful but disconnected from developer workflows, require manual execution, and lack real-time feedback.
Both approaches introduce friction. And friction leads to one thing: ignored security signals.
DevGuard’s Approach: Real-Time, Multi-Surface Scanning
DevGuard treats the IDE as the control plane for policy enforcement. As developers write or edit files, the extension detects the file type, routes it to the appropriate scanner, and surfaces violations instantly.
DevGuard doesn’t just scan Kubernetes—it covers the full modern stack via MCP-based scanning:
- Kubernetes YAML: Detected via heuristics and validated.
- Dockerfiles: Checked for security and best-practice configurations.
- GitHub Actions: CI/CD pipeline security scanning.
- LLM prompt files: Prompt security analysis.
- Skill files: Policy validation for agent workflows (SKILL.md ecosystems).
This is important because governance today isn’t just about infrastructure—it’s about AI, infrastructure, and pipelines working together.
How the Developer Experience Works
From a user perspective, DevGuard feels native to the IDE. On save or edit, files are classified using heuristics (e.g., apiVersion + kind for Kubernetes), and scans are triggered with debounce and cancellation support.
Violations appear immediately as Problems panel entries, editor squiggles, and hover tooltips. Each violation includes the rule ID, severity, policy source, and location path. From there, developers have actionable fixes right in their editor:
- Fix a single violation or fix all violations at once.
- Generate AI-based remediations.
- Request policy exceptions.
AI fixes are applied safely via a diff preview before committing and structured extraction from model outputs.
AI as a First-Class Layer
DevGuard goes beyond static scanning; it integrates AI directly into remediation workflows. Here is what AI does under the hood:
- Generates fixes tailored to the specific file type (Kubernetes, Dockerfile, etc.).
- Explains exactly why a violation exists.
- Produces structured outputs even from messy model responses.
- Handles formatting inconsistencies (like extra code blocks, prose, or malformed outputs).
This is critical because policy violations are rarely trivial. They require understanding intent, not just applying rules.
Architecture: Why CLI-First Matters
One of the biggest design decisions was removing the backend entirely. The DevGuard v2 architecture runs directly inside the IDE host, uses nctl as a subprocess (not a service), and communicates via structured outputs like SARIF and JSON.
Key components include:
- extension.ts → orchestration layer
- nctl.ts → CLI execution + AI handling
- scanTargets.ts → file classification
- diagnostics.ts → IDE integration
- ui.ts → interactions (diffs, panels, status bar)
This design has several major advantages. It ensures portability across VS Code, Cursor, and Amazon Kiro. Having no backend means there are no infrastructure dependencies or uptime concerns. It also ensures strict security, as the CLI is invoked without a shell (shell: false) and exposes no remote execution surface.
The Future of Policy Enforcement
We’re entering a world where AI agents write infrastructure, developers move faster than ever, and governance needs to be proactive and continuous—not reactive and periodic. Policy enforcement can’t live in just pipelines anymore. It has to live inside the development loop.
The goal with DevGuard wasn’t just to build another scanner. It was to rethink where and how policy enforcement happens. By combining CLI-powered scanning, AI-driven remediation, and IDE-native workflows, DevGuard brings security and governance directly into the place where code—and now AI-driven infrastructure—is actually created.
Try Nirmata DevGuard for Visual Studio Code, Cursor and Kiro.
