Windsurf
Install the Vulnetix security plugin for Windsurf.
Quick Install
npx skills add Vulnetix/pix-ai-coding-assistant
This installs the Vulnetix security skills into your project’s .windsurf/skills directory.
Prerequisites
Before running the install command:
- Node.js — Required to run
npx. Install from nodejs.org if not already available. - Vulnetix CLI — Install and authenticate following the prerequisites guide.
- jq — Required by plugin hooks for JSON processing. See prerequisites for install instructions.
What Gets Installed
The plugin registers the following into .windsurf/skills:
| Component | Count | Details |
|---|---|---|
| Hooks | 5 | Pre-commit scan, manifest edit gate, post-install scan, stop reminder, vuln context inject |
| Skills | 6 | package-search, exploits, fix, vuln, exploits-search, remediation |
| Commands | 4 | vdb-vuln, vdb-vulns, vdb-exploits-search, vdb-remediation |
| Agents | 1 | bulk-triage — parallel vulnerability triage and prioritization |
Native Hooks
Windsurf supports hooks natively via project-level .windsurf/hooks.json. The plugin ships hooks.windsurf.json pre-configured for Windsurf’s hook system. After install, hooks are registered automatically — no manual configuration needed.
The following events are wired up:
| Hook | Event | Action |
|---|---|---|
| Pre-Commit Scan | pre_run_command | Scan before git commit |
| Manifest Edit Gate | pre_write_code | Gate manifest edits |
| Post-Install Scan | post_run_command | SBOM after npm/pip/go install |
| Stop Reminder | post_cascade_response | Remind about unresolved vulns |
| Context Inject | pre_user_prompt | Inject vuln context |
Windsurf has no session start event, so the session summary hook is not wired.
See Hooks documentation for details on each hook.
Verify Installation
Run the dashboard skill to confirm everything is working:
/vulnetix:dashboard
You should see a vulnerability summary table for your project’s dependencies. If you get an authentication error, re-run vulnetix auth login.
Upgrade
Re-run the install command to pull the latest version:
npx skills add Vulnetix/pix-ai-coding-assistant
This overwrites existing files with the latest version. Your .vulnetix/memory.yaml and cached data are not affected.
Uninstall
Remove the plugin skills:
rm -rf .windsurf/skills
To also remove cached vulnerability data and memory:
rm -rf .vulnetix/