depmedic for VS Code & Cursor

Inline lint for .github/workflows/*.yml. 14 cost, security, and hygiene rules from ci-doctor surfaced as native Diagnostics. Squiggle, hover, jump-to-rule, optional autofix.

Install from VS Code Marketplace Install from Open VSX (Cursor) Direct .vsix download (v0.2.0)

Free: lint, diagnostics, docs links Pro: per-rule autofix + Cursor Rules Pack $5/mo

What you see in your editor

Open any workflow file in VS Code or Cursor. On save:

Each rule violation gets a red/yellow squiggle exactly where the problem starts.
Hover for the message, severity, and rule id.
Click the rule id to jump to rules.html.
Lightbulb -> "open docs" (free) or "autofix" (Pro) for safe rules.

actions/checkout@v4   ~~~~~  warn  action-no-pin
                                       Pin actions to a commit SHA, not a moving tag.
                                       https://depmedicdev-byte.github.io/rules.html#action-no-pin

run: echo "${{ github.event.head_commit.message }}" ~~~~~~~~~~~~~~~  error  script-injection
                                                                            github.event.* interpolated into a run: block.
                                                                            https://depmedicdev-byte.github.io/rules.html#script-injection

The 16 rules (same engine as ci-doctor + ci-doctor.com badge + bot)

Cost & speed

missing-timeout - jobs without a timeout.
missing-cache - npm ci / pip install without cache.
missing-concurrency - duplicate runs from rapid pushes.
expensive-runner - large runners with no platform-only commands.
matrix-overcommit - matrix that fans out beyond a sane bound.
e2e-on-every-push - e2e jobs without path filter or label gate.

Security & hygiene

action-no-pin - actions on a moving tag instead of a SHA.
script-injection - github.event.* in run:.
token-permissions - missing permissions: block.
cache-key-fragile - cache keys without lockfile hashes.
missing-fetch-depth - shallow clone breaks blame / signing.
artifact-no-expiration - 90-day default artifact retention.
setup-no-pin - setup-node@v4 without node-version lock.
workflow-dispatch-only - workflows that never run automatically.

Pro tier (optional)

Feature	Free	Pro - $5/mo
Inline diagnostics for all 16 rules	yes	yes
Hover + jump to rule docs	yes	yes
Per-rule autofix code action (5 safe rules)	locked	yes
`depmedic: Apply safe autofixes` command	locked	yes
Cursor Rules Pack v2 (12 rule files for Cursor)	buy separately ($9)	included
License works in VS Code AND Cursor	n/a	yes
Pairs with depmedic Pro CLI tier (CLI autofixes)	n/a	same key

Get Pro - $5/mo Yearly - $50/yr

Privacy

The lint engine is bundled - it runs entirely on your machine.
No telemetry. Period.
One outbound request, only when a Pro key is set: license validation hits the depmedic-license Cloudflare Worker once and caches the answer for 24 hours.
Source code: github.com/depmedicdev-byte/depmedic-vscode (MIT).

FAQ

Does it work in Cursor?

Yes. Cursor uses Open VSX as its extension marketplace. Install "depmedic" from the Extensions panel - the same .vsix is published to both VS Code Marketplace and Open VSX.

Will it slow my editor down?

No. The lint engine is ~5ms per workflow file at typical sizes. Diagnostics update on save by default (configurable to onChange or manual via depmedic.run).

What if I already have actionlint or super-linter?

They are complementary. depmedic focuses on cost and security gotchas (timeout, cache, runner choice, action pinning, script injection); actionlint catches syntax + expression bugs; super-linter runs a thousand things across many languages. Use all three if you like - they don't overlap much.

Where do my license keys come from?

Polar - same checkout as depmedic Pro $5/mo. The key is emailed to you immediately after checkout. Paste it into VS Code Settings -> depmedic.proLicenseKey.