Getting Started
VS Code Commands
Web Platform
Integrations
Configuration
Reference

Installation

Arcwall is available on the VS Code Marketplace. It works in VS Code, Cursor, and Windsurf.

Install from the Marketplace

Click the link below to install directly, or search "Arcwall" in your IDE's extension marketplace.

Open in VS Code → View on Marketplace

Install from VSIX

If you prefer to install manually:

Get Your API Key

Arcwall requires an API key to authenticate your scans.

Note: Your API key is shown once on screen. It is also sent to your email as a reminder. Save it in your password manager.

Configure in VS Code

Once you have your key:

First Scan

Open any project folder in VS Code, then:

// Press Ctrl+Shift+P to open the Command Palette
Arcwall: Build Threat Model (Code)
 
// Arcwall scans your repo locally
✓ Scanning 47 files...
✓ Trust boundaries: 3 Data flows: 6
 
⚠ CRITICAL — Elevation of Privilege [FROM CODE]
  JWT claims not validated at API boundary
 
✓ Threat model saved → arcwall-threat-model.md

Results appear in a panel beside your editor. You can save them as a Markdown file or export as a PDF evidence package.

Build (Code) Command

Scans your repository and produces a STRIDE threat model based on what Arcwall finds in your code.

What it scans

Supported languages

TypeScript, JavaScript, Python, Go, Java, C#, Ruby. Additional languages are in the roadmap.

What gets sent to Arcwall

Only a structured summary of security-relevant signals — not your source code. The scanner runs locally on your machine and extracts patterns before sending anything.

Design Command

Produces a threat model from a design description — no code required. Use this at the architecture stage before writing code.

How it works

Running the command opens a series of input prompts in VS Code:

Arcwall produces a full STRIDE model from your answers.

Review Command

Scores an existing threat model against the OWASP ASVS baseline and produces a gap analysis.

How to use it

Scan AI Assets (MCP + Skills + Plugins)

Scans your workspace for AI asset configuration files and analyzes them for security vulnerabilities.

MCP Server Configs

Analyzes .cursor/mcp.json, .vscode/mcp.json, and other MCP configuration files for:

Mapped to OWASP LLM Top 10 and MITRE ATLAS.

Skill Files

Analyzes SKILL.md and agent skill definitions for:

Mapped to OWASP LLM01, LLM08.

Plugin Manifests

Analyzes ai-plugin.json, openapi.yaml, and plugin manifests for:

Mapped to OWASP LLM07, OWASP API Top 10.

Example output

⚠ CRITICAL — Prompt Injection — fetch_data Tool
Description: Tool description contains instructions that override agent behavior.
Component: .cursor/mcp.json → fetch_data
Remediation: Use neutral factual descriptions only.
OWASP: LLM01 — Prompt Injection   MITRE ATLAS: AML.T0051

Scan for Secrets

Scans your entire codebase for hardcoded credentials before they reach production.

What it detects

Example output

⚠ CRITICAL — Hardcoded Secret — AWS Access Key
Description: AWS access key found hardcoded in source.
Component: config/aws.ts line 14
Remediation: Move to environment variables. Rotate the exposed key immediately in AWS IAM.
CWE: CWE-798 — Use of Hard-coded Credentials

Web Platform

All Arcwall scanners are available from the web at arcwall.io — no local setup required.

Web Questionnaire

Answer 5 questions about your system at arcwall.io/analyze.html and get a full STRIDE threat model in under 60 seconds. No code access required.

Architecture Diagram Upload

Upload a PNG, JPG, or WebP diagram from Lucidchart, Draw.io, Miro, or any diagramming tool. Arcwall extracts components and data flows automatically.

Scan Hub

Run all scanners from one page at arcwall.io/scan.html: MCP Security Scan, Skill File Scanner, Plugin Scanner, AI Code Scanner, Secrets Detection, IaC Scanner, API Security Scanner, LLM Prompt Security Testing, SARIF Import.

GitHub OAuth Scanning

Connect GitHub at arcwall.io/integrations.html to scan repos directly from the browser. No local setup required.

Scheduled Scanning

Set up automatic scans at arcwall.io/scan.html. Choose repo, scan type, and frequency (daily, weekly, monthly). Security lead notified on each run.

Security Posture Dashboard

View your security posture at arcwall.io/posture.html. Posture score, coverage matrix, and scan history.

Integrations

Slack

Connect at arcwall.io/integrations.html. Every scan result posts to your chosen channel. Configure via webhook URL or OAuth.

Jira

Connect at arcwall.io/integrations.html. CRITICAL and HIGH findings automatically create Jira tickets with full details and remediation steps.

GitHub Actions

Add to your CI/CD pipeline:

- name: Arcwall Security Scan
  uses: rom-baro/arcwall-action@v1
  with:
    api-key: ${{ secrets.ARCWALL_API_KEY }}
    repo-name: ${{ github.repository }}

CRITICAL and HIGH findings fail the workflow.

SARIF Import

Import findings from Semgrep, Trivy, GitHub GHAS, Checkov, CodeQL, Snyk at arcwall.io/scan.html.

Settings Reference

arcwall.apiKey
Your Arcwall API key. Get one at arcwall.io. Required for all commands.
arcwall.backendUrl
The Arcwall backend URL. Default: https://arcwall-production.up.railway.app. Change this for self-hosted Enterprise deployments.
arcwall.securityLeadEmail
Email address of your security lead. They will be notified when a new threat model is ready for review (Pro plan only).

Export & Share

Save as Markdown

Click Save as .md in the results panel. Arcwall saves the threat model as arcwall-threat-model.md in your project root. Commit it to Git for version history.

Export as PDF (Pro)

Click Export PDF in the results panel. Arcwall generates a formatted PDF evidence package — dated, signed, pinned to a document ID. Saved as arcwall-threat-model.pdf in your project root.

Dashboard

Every scan is saved to your Arcwall dashboard. Go to arcwall.io/dashboard.html, enter your API key, and see all your threat models in one place. Click any model to open the full review page.

Confidence Tags

Every finding includes a confidence tag that tells you how certain Arcwall is about the risk.

[FROM CODE]
Finding is directly observed in your code. High confidence — something is demonstrably present or absent.
[INFERRED]
Finding is based on patterns that strongly suggest a risk, but not definitively proven from code alone. Worth investigating.
[NEEDS INPUT]
Arcwall identified a potential risk but needs your confirmation. Respond in the VS Code panel or in the results dashboard.
[FROM DESIGN]
Finding is based on the design description you provided. Used in Design-stage threat models only.

REST API

All Arcwall commands are available via REST API for CI/CD integration and custom tooling.

Authentication

// Include your API key in every request
x-api-key: aw_your_api_key_here

Endpoints

// Public — no auth required
POST /signup
GET /health
POST /api/auth/login
POST /api/auth/forgot-password
POST /api/auth/reset-password
 
// Account
GET /api/me
POST /api/rotate-key
POST /api/auth/change-password
 
// Threat Modeling
POST /api/build-threat-model
POST /api/design-threat-model
POST /api/review-threat-model
POST /api/analyze-threats
POST /api/enrich-threats
POST /api/extract-model
 
// AI Security Scanning
POST /api/scan-mcp
POST /api/scan-skills
POST /api/scan-plugin
POST /api/scan-ai-code
POST /api/scan-secrets
POST /api/scan-iac
POST /api/scan-api
POST /api/scan-prompt
 
// GitHub
GET /api/github/connect
GET /api/github/status
GET /api/github/repos
POST /api/github/scan
POST /api/github/disconnect
 
// Scheduled Scans
POST /api/scheduled-scans
GET /api/scheduled-scans
DELETE /api/scheduled-scans/:id
 
// Integrations
POST /api/slack/webhook
GET /api/slack/status
POST /api/slack/disconnect
POST /api/jira/connect
GET /api/jira/status
POST /api/jira/disconnect
 
// Export
POST /api/export-pdf
POST /api/import-sarif
Base URL: https://arcwall-production.up.railway.app  |  All /api/* routes require the x-api-key header. Public routes (/signup, /health, /api/auth/*) do not require auth.