feat(secrets): add Snyk Secrets product type [IDE-1126][IDE-1749] (#788)

* chore: add skills and rules

* feat(ui): add JCEF-based HTML tree view behind registry flag [IDE-1750]

Implement Phase 7 of the HTML tree view integration. When the
IntelliJ Registry flag `snyk.useHtmlTreeView` is enabled, the native
Swing tree + severity toolbar in SnykToolWindowPanel is replaced with
a JCEF-based HtmlTreePanel that renders server-driven HTML from the
`$/snyk.treeView` LSP notification.

Changes:
- Add `snyk.useHtmlTreeView` registry key in plugin.xml
- Add `isHtmlTreeViewEnabled()` helper in Utils.kt
- Add `SnykTreeViewParams` data class and `SnykTreeViewListener` topic
- Add `@JsonNotification("$/snyk.treeView")` handler in SnykLanguageClient
- Add `executeCommandWithArgs()` public method on LanguageServerWrapper
- Add `TreeViewBridgeHandler` with unified `__ideExecuteCommand__` JS bridge
- Add `HtmlTreePanel` JCEF panel subscribing to tree view notifications
- Conditionally swap TreePanel/HtmlTreePanel in SnykToolWindowPanel
- Hide native ViewActions and expand/collapse toolbar when flag is ON
- Add unit tests for bridge dispatch logic and LSP notification handler

* chore: update .gitignore

* chore: update build

* chore: update hooks to use spotlessApply

* chore: update skill

* fix: introduce init HTML

* chore: adjust coverage rules

* test: add coverage for HtmlTreePanel, executeCommandWithArgs, TreeViewBridgeHandler [IDE-1750]

- Add HtmlTreePanelTest: init, dispose, JCEF null path, notification
  handling, resource file validation, placeholder replacement
- Add executeCommandWithArgs tests to LanguageServerWrapperTest:
  not-initialized guard, successful execution, argument passing, null result
- Extend TreeViewBridgeHandlerTest: concurrent dispatch, LS exception
  handling, null callbackExecutor, default values, missing fields

* chore: update skills

* chore: update required protocol version to 23

* fix: invoke JS callback on null LS result to prevent callback leak [IDE-1750]

- Remove result != null guard in dispatchCommand so callbacks fire even
  when LanguageServerWrapper.executeCommandWithArgs returns null (e.g.
  navigateToRange side-effect commands). Prevents leaked entries in
  window.__ideCallbacks__ and stalled UI state.
- Change snyk.useHtmlTreeView registry key to restartRequired=true since
  the panel swap only happens at SnykToolWindowPanel init time.
- Update test to assert callback IS invoked with null result (TDD).

* chore: update verification skill

* fix: address PR review findings for HTML tree view [IDE-1750]

- Fix JCEF browser memory leak: store browser as field, dispose in dispose()
- Replace SimpleToolWindowPanel with JPanel (fixes UiDataProvider warning)
- Add command allowlist to TreeViewBridgeHandler (security hardening)
- Add callbackId validation regex to prevent JS injection
- Skip native tree refresh when HTML tree view is enabled (performance)
- Replace Thread.sleep with Awaitility in tests
- Add tests for buildBridgeScript, ALLOWED_COMMANDS, and all new guards

* fix: fall back to native TreePanel when JCEF is unsupported [IDE-1750]

Add JBCefApp.isSupported() check before creating HtmlTreePanel to prevent
blank panel on systems without JCEF support. Falls back to native Swing
TreePanel gracefully.

* fix: implement showDocument for file URIs to enable tree view navigation [IDE-1750]

The LS snyk.navigateToRange command calls window/showDocument with a file
URI back to the client. The previous implementation fell through to
super.showDocument() which threw UnsupportedOperationException.

Now handles file URIs by resolving the VirtualFile and navigating to the
selection range. Unsupported schemes return ShowDocumentResult(false)
gracefully instead of throwing.

* fix: correct command allowlist — replace snyk.getTreeView with snyk.setNodeExpanded [IDE-1750]

The JS tree view uses snyk.setNodeExpanded for expand/collapse state
persistence but it was missing from the allowlist. snyk.getTreeView was
listed but never used by the JS.

* fix: display issue details in HTML tree view + deduplicate tree HTML [IDE-1750]

- onShowIssueDetail: bypass native tree search when HTML tree enabled,
  directly create SuggestionDescriptionPanel from cached ScanIssue
- HtmlTreePanel: skip loadHTML when raw HTML hash unchanged to prevent
  tree collapse on redundant LS re-emissions

* fix: broaden showDocument to all products + add debug logging [IDE-1750]

- showDocument: match any snyk:// URI with showInDetailPanel action,
  not just Snyk Code. Map product string to correct ProductType.
- onShowIssueDetail: bypass native tree for HTML tree mode, directly
  create SuggestionDescriptionPanel from cached ScanIssue.
- Add diagnostic logging to trace showDocument and cache lookup flow.

* feat: add tree view CSS variable mappings to ThemeBasedStylingGenerator [IDE-1750]

Add 7 missing --vscode-* CSS variable mappings needed by the HTML tree
view styles.css: tree-indentGuidesStroke, sideBar-background,
badge-background/foreground, list-activeSelectionBackground/Foreground,
list-hoverBackground.

* feat: select HTML tree node when gutter icon clicked [IDE-1750]

- Add HtmlTreePanel.selectNode() to execute __selectTreeNode__ JS bridge
- Store HtmlTreePanel reference in SnykToolWindowPanel
- Wire selectNodeAndDisplayDescription to also select in HTML tree
- Expands ancestor nodes and scrolls issue into view

* feat: select HTML tree node on showDocument snyk:// URI [IDE-1750]

Wire onShowIssueDetail to also call htmlTreePanel.selectNode when
processing snyk:// showDocument requests, so the tree highlights the
corresponding issue node.

* feat: reset HTML tree on clean all results action [IDE-1750]

- Add HtmlTreePanel.reset() to reload initial empty HTML
- Call reset() from doCleanUi so 'Clean all results' clears the HTML tree

* feat: replace spinner init HTML with proper product nodes tree [IDE-1750]

TreeViewInit.html now renders the same structure as the LS tree:
- Filter toolbar with severity SVG buttons (all active)
- Expand/collapse all buttons
- 3 product nodes (Open Source, Code Security, Infrastructure As Code)
  with their inline SVG icons, matching the LS tree.html template
- Uses the same CSS classes for theme integration via var(--vscode-*)

* fix: update description panel directly when HTML tree active [IDE-1750]

When isHtmlTreeViewEnabled(), selectNodeAndDisplayDescription now
directly loads SuggestionDescriptionPanel instead of relying on
native JTree node lookup (which may not have nodes populated).
Fixes gutter icon click sometimes not updating the description panel.

* refactor: extract selectNodeInHtmlTreeAndShowDescription + fix unsafe offset [IDE-1750]

- Extract duplicated HTML tree description panel update logic into
  private selectNodeInHtmlTreeAndShowDescription method, called from
  both onShowIssueDetail and selectNodeAndDisplayDescription.
- Fix unsafe offset calculation in showDocument file URI handler by
  clamping startOffset/endOffset to document.textLength, preventing
  IndexOutOfBoundsException when character exceeds line length.

* test: add coverage for HtmlTreePanel reset, selectNode, and dedup [IDE-1750]

Add tests for:
- reset() reloads init HTML into browser
- reset() skipped after dispose
- reset() no-op when JCEF is null
- selectNode() no-op when JCEF is null
- duplicate HTML content is skipped (hash check)

HtmlTreePanel coverage: 71.2% -> 86.4%

* chore: bump required LS protocol version to 24 [IDE-1750]

* feat(treeview): add missing commands to TreeViewBridgeHandler allowlist [IDE-1750]

Add snyk.showScanErrorDetails and snyk.updateFolderConfig to the
JCEF bridge allowlist so tree.js can invoke them via
__ideExecuteCommand__.

* test(treeview): update allowlist tests for new commands [IDE-1750]

Add snyk.showScanErrorDetails and snyk.updateFolderConfig to the
expected commands in TreeViewBridgeHandlerTest.

* fix: address PR review findings in SnykToolWindowPanel, SnykLanguageClient, Types [IDE-1750]

- Add missing lateinit to scanListenerLS property declaration
- Extract Document.getSafeOffset() to Utils.kt as shared utility
- Use getSafeOffset in showDocument file navigation to prevent
  IndexOutOfBoundsException from out-of-range character offsets
- Replace private getSafeOffset copy in Types.kt with shared utility
- Remove duplicated isHtmlTreeViewEnabled() check in onShowIssueDetail
  listener, delegate to selectNodeAndDisplayDescription which handles it

* fix: dispose JCEF browsers in SuggestionDescriptionPanel and fix JS callback leak

- Make SuggestionDescriptionPanel implement Disposable to properly clean up
  JCEF browser processes when panels are replaced
- Add clearDescriptionPanel() helper that disposes old Disposable children
  before removeAll(), preventing cumulative native process/memory leaks
- Send error callback to JS when commands are rejected (not in allowlist)
  or when execution throws, preventing __ideCallbacks__ memory leaks
- Add tests for Disposable behavior and error callback invocation

* fix: validate callbackId before allowlist check and downgrade log levels

- Move SAFE_CALLBACK_ID validation before allowlist rejection to prevent
  unsafe callbackIds from reaching callbackExecutor (JS injection risk)
- Downgrade verbose logger.info to debug in onShowIssueDetail handler

* fix: address PR review bot findings and downgrade verbose logging

- Fix JCEF fallback: check htmlTreePanel != null instead of registry flag
  in scheduleDebouncedTreeRefresh so native tree refreshes when JCEF is
  unsupported even if HTML tree flag is enabled
- Fix async race: add isDisposed flag to SuggestionDescriptionPanel to
  prevent orphaned JCEF browsers when panel is disposed during LS call
- Fix hash collision: use string equality instead of hashCode() for HTML
  deduplication in HtmlTreePanel
- Downgrade routine logger.info to debug in SnykLanguageClient (scan
  completed, force-saved settings, logTrace, MessageType.Log, showDocument)

* fix: show native toolbar actions when JCEF is unsupported

Guard toolbar action hiding in SnykToolWindow with JBCefApp.isSupported()
check so native ViewActions and expand/collapse actions remain visible
when JCEF is unavailable even if the HTML tree registry flag is enabled.
This matches the fallback logic in SnykToolWindowPanel.

* fix: adjust log levels per PR review comments

- L468: info→debug for missing issueID (routine condition)
- L500: warn→error for unsupported URI scheme (error condition)

* fix: optimize onShowIssueDetail performance and dispose panel on destroy

- Guard debug log evaluation with isDebugEnabled to avoid expensive
  flatten/map operations when debug logging is disabled
- Use firstNotNullOfOrNull instead of flatten().firstOrNull() to avoid
  creating intermediate lists for issue lookup
- Use sequence + sumOf for debug stats to reduce allocations
- Call clearDescriptionPanel() in dispose() to ensure last active
  SuggestionDescriptionPanel JCEF browser is released on shutdown

* fix: delegate http/https URIs to browser and cap getSafeOffset at line end

- showDocument now opens http/https URIs via BrowserUtil.browse() instead
  of returning false, enabling LS-triggered 'Open in Browser' actions
- getSafeOffset caps offset at line end (getLineEndOffset) instead of
  document end (textLength) to prevent bleeding into next line when
  character index exceeds actual line length
- Add test for https browser delegation, update existing tests

* fix: delegate unsupported URI schemes to super.showDocument

Instead of returning false for unknown schemes, delegate to the
LSP4j default handler via super.showDocument(param) to preserve
platform-level behavior.

* fix: update show document handler

* feat(secrets): add Snyk Secrets product type with annotations, caching, and tests

- Add SECRETS to ProductType enum with tree name and description
- Add Secrets to LsProduct enum with short/long name mappings
- Create SnykSecretsAnnotator extending SnykAnnotator for editor annotations
- Add secrets icons (secrets.svg, secrets_disabled.svg)
- Add currentSecretsResultsLS and currentSecretsError to SnykCachedResults
- Handle LsProduct.Secrets in SnykLanguageClient diagnostics pipeline
- Add SECRETS branches to getSnykCachedResultsForProduct, CodeActionIntention
- Fix ScanIssue.title() to handle SECRETS type (was TODO() crash)
- Fix CodeActionIntention.getIcon() for SECRETS (was TODO() crash)
- Fix scanningStarted to clear currentSecretsError on new scan
- Move annotation refresh debouncing from SnykToolWindowPanel to SnykCachedResults
- Rename IAC treeName from Configuration to Snyk Infrastructure as Code
- Add isSnykSecretsRunning utility function
- Add secretsScanEnabled setting to SnykApplicationSettingsStateService
- Add scanningSecretsFinished to SnykScanListener
- Add tests for ScanIssue SECRETS methods (title, issueNaming, priority, etc.)
- Add tests for SnykCachedResults secrets cache and LsProduct mapping

* chore: update secrets icons

* fix(secrets): add secretsEnabled settings check in SnykSecretsAnnotator

Suppress secrets annotations when the user disables the product in
settings, consistent with SnykOSSAnnotator and SnykIaCAnnotator.

* fix(lsp): prevent NPE on null baseBranch in FolderConfig.copy

perf(core): optimize memory consumption and execution time during high volume LSP message processing

- Lazily evaluate SnykFile.relativePath to reduce coroutine allocations

- Use O(1) map lookup for issue fetching in SnykAnnotator instead of O(N) iteration

- Lazily evaluate Document textRange and VirtualFile in ScanIssue to prevent massive memory allocations for large projects

* Revert "fix(lsp): prevent NPE on null baseBranch in FolderConfig.copy"

This reverts commit b01aded.

* fix: ignore action in integrity check notification

* test(jcef): replace MockK verify(timeout) with Awaitility for reliable async verification [IDE-1749]

MockK's verify(timeout=...) has a known race condition on Windows that causes
NoSuchElementException (List is empty) when the internal call list is polled
concurrently. Replaced both occurrences in TreeViewBridgeHandlerTest with
await().atMost(...).untilAsserted { verify {...} } which is thread-safe.

* fix(settings): use ParametersListUtil.parse for additionalParameters tokenization [IDE-1126]

Replace naive split(" ", lineSeparator) with ParametersListUtil.parse() which
correctly handles double-quoted arguments containing spaces, preventing them from
being split into multiple tokens.

Note: single-quoted arguments are not supported by ParametersListUtil; users
should use double quotes for arguments containing spaces.

Add table tests covering: simple flags, single-quoted (split, unsupported),
double-quoted (preserved), newline-separated, empty input, and the real-world
complex CLI invocation from the bug report.

* chore: remove smells

* feat: register secrets annotator

* fix: check file version for product int when clearing cache

* chore: cleanup warnings

* fix(cache): atomically drain pendingAnnotationRefreshFiles to prevent silent file loss [IDE-1749]

Replace non-atomic toList().also { clear() } with removeIf-based drain in
flushPendingAnnotationRefreshes. A file added between toList() and clear() was
silently dropped and would only be re-queued on the next diagnostic update.

With ConcurrentHashMap.newKeySet().removeIf, each element is removed and
collected atomically per-element. Any file added after the drain has passed its
bucket stays in the set and is processed on the next flush cycle — never lost.

Extract the drain into internal drainPendingAnnotationRefreshFiles() for
testability. Add table tests covering empty, single, multiple, and pre-drain
concurrent-add scenarios.

* chore: cleanup smells

* refactor(settings): remove dead code calls to isScanTypeChanged and isSeverityEnablementChanged [IDE-1749]

These calls had no effect after their return values were unassigned — the
methods have no side effects, so calling them without using the result
is pure dead code.

* chore: add isSecretsRunning to isScanRunning

Author: bastiandoetsch

src/main/kotlin/icons/SnykIcons.kt

@@ -20,6 +20,8 @@ object SnykIcons {
   val OPEN_SOURCE_SECURITY_DISABLED = getIcon("/icons/oss_disabled.svg", SnykIcons::class.java)
   val SNYK_CODE = getIcon("/icons/code.svg", SnykIcons::class.java)
   val SNYK_CODE_DISABLED = getIcon("/icons/code_disabled.svg", SnykIcons::class.java)
+  val SNYK_SECRETS = getIcon("/icons/secrets.svg", SnykIcons::class.java)
+  val SNYK_SECRETS_DISABLED = getIcon("/icons/secrets_disabled.svg", SnykIcons::class.java)
   val IAC = getIcon("/icons/iac.svg", SnykIcons::class.java)
   val IAC_DISABLED = getIcon("/icons/iac_disabled.svg", SnykIcons::class.java)
 

src/main/kotlin/io/snyk/plugin/Utils.kt

@@ -89,6 +89,7 @@ fun getSnykCachedResultsForProduct(
     ProductType.OSS -> getSnykCachedResults(project)?.currentOSSResultsLS
     ProductType.IAC -> getSnykCachedResults(project)?.currentIacResultsLS
     ProductType.CODE_SECURITY -> getSnykCachedResults(project)?.currentSnykCodeResultsLS
+    ProductType.SECRETS -> getSnykCachedResults(project)?.currentSecretsResultsLS
   }
 
 fun getAnalyticsScanListener(project: Project): AnalyticsScanListener? =
@@ -223,10 +224,15 @@ private fun isProductScanRunning(project: Project, productType: ProductType): Bo
 fun isSnykCodeRunning(project: Project): Boolean =
   isProductScanRunning(project, ProductType.CODE_SECURITY)
 
+fun isSecretsRunning(project: Project): Boolean = isProductScanRunning(project, ProductType.SECRETS)
+
 fun isIacRunning(project: Project): Boolean = isProductScanRunning(project, ProductType.IAC)
 
 fun isScanRunning(project: Project): Boolean =
-  isOssRunning(project) || isSnykCodeRunning(project) || isIacRunning(project)
+  isOssRunning(project) ||
+    isSnykCodeRunning(project) ||
+    isIacRunning(project) ||
+    isSecretsRunning(project)
 
 fun isCliDownloading(): Boolean = getSnykCliDownloaderService().isCliDownloading()
 

src/main/kotlin/io/snyk/plugin/events/SnykScanListener.kt

@@ -11,6 +11,7 @@ interface SnykScanListener {
     val SNYK_SCAN_TOPIC = Topic.create("Snyk scan LS", SnykScanListener::class.java)
   }
 
+  // these update the tree and should not be needed for the HTML tree anymore
   fun scanningStarted(snykScan: SnykScanParams) {}
 
   fun scanningSnykCodeFinished()
@@ -21,5 +22,6 @@ interface SnykScanListener {
 
   fun scanningError(snykScan: SnykScanParams)
 
+  // these are needed to update the local IDE issue cache for annotations and code vision
   fun onPublishDiagnostics(product: LsProduct, snykFile: SnykFile, issues: Set<ScanIssue>)
 }

src/main/kotlin/io/snyk/plugin/services/SnykApplicationSettingsStateService.kt

@@ -29,14 +29,17 @@ class SnykApplicationSettingsStateService :
 
   @Deprecated("left for old users migration only") var useTokenAuthentication = false
   var authenticationType = AuthenticationType.OAUTH2
+
+  // download settings
   var currentLSProtocolVersion: Int? = 0
-  var isGlobalIgnoresFeatureEnabled = false
   var cliBaseDownloadURL: String = "https://downloads.snyk.io"
   var cliPath: String = getDefaultCliPath()
   var cliReleaseChannel = "stable"
-  var issuesToDisplay: String = DISPLAY_ALL_ISSUES
   var manageBinariesAutomatically: Boolean = true
+
+  // testing flag
   var fileListenerEnabled: Boolean = true
+
   // TODO migrate to
   // https://plugins.jetbrains.com/docs/intellij/persisting-sensitive-data.html?from=jetbrains.org
   var token: String? = null
@@ -50,23 +53,30 @@ class SnykApplicationSettingsStateService :
   // can't be private -> serialization will not work
   @Deprecated("left for old users migration only") var cliScanEnable: Boolean = true
 
+  // products enablement store
   var ossScanEnable: Boolean = true
   var snykCodeSecurityIssuesScanEnable: Boolean = true
   var iacScanEnabled: Boolean = true
+  var secretsEnabled: Boolean = false
+
+  // feature flag / server-side enablement
   var sastOnServerEnabled: Boolean? = null
   var sastSettingsError: Boolean? = null
+
+  // filters enablement store
+  var issuesToDisplay: String = DISPLAY_ALL_ISSUES // delta
   var lowSeverityEnabled = true
   var mediumSeverityEnabled = true
   var highSeverityEnabled = true
   var criticalSeverityEnabled = true
+  var riskScoreThreshold: Int? = null
+  var treeFiltering = TreeFiltering()
 
+  // ignore display option store
+  var isGlobalIgnoresFeatureEnabled = false
   var openIssuesEnabled = true
   var ignoredIssuesEnabled = false
 
-  var riskScoreThreshold: Int? = null
-
-  var treeFiltering = TreeFiltering()
-
   var lastCheckDate: Date? = null
   var pluginFirstRun = true
 

src/main/kotlin/io/snyk/plugin/services/download/SnykCliDownloaderService.kt

@@ -1,7 +1,6 @@
 package io.snyk.plugin.services.download
 
-import com.intellij.openapi.actionSystem.AnAction
-import com.intellij.openapi.actionSystem.AnActionEvent
+import com.intellij.notification.NotificationAction
 import com.intellij.openapi.components.Service
 import com.intellij.openapi.diagnostic.logger
 import com.intellij.openapi.progress.ProgressIndicator
@@ -54,6 +53,7 @@ class SnykCliDownloaderService {
   }
 
   fun downloadLatestRelease(indicator: ProgressIndicator, project: Project) {
+    if (!pluginSettings().manageBinariesAutomatically) return
     currentProgressIndicator = indicator
     logger.debug("CLI download starting")
     publishAsyncApp(SnykCliDownloadListener.CLI_DOWNLOAD_TOPIC) { cliDownloadStarted() }
@@ -124,6 +124,7 @@ class SnykCliDownloaderService {
    * @param force - force the download
    */
   fun cliSilentAutoUpdate(indicator: ProgressIndicator, project: Project, force: Boolean = false) {
+    if (!pluginSettings().manageBinariesAutomatically) return
     if (force || isFourDaysPassedSinceLastCheck() || !matchesRequiredLsProtocolVersion()) {
       val latestReleaseInfo = requestLatestReleasesInformation()
 
@@ -207,23 +208,19 @@ class SnykCliDownloaderService {
 
   private fun showCliIntegrityWarning(project: Project) {
     val redownloadAction =
-      object : AnAction("Redownload CLI") {
-        override fun actionPerformed(e: AnActionEvent) {
-          getSnykTaskQueueService(project)?.downloadLatestRelease(force = true)
-        }
+      NotificationAction.createSimpleExpiring("Redownload CLI") {
+        getSnykTaskQueueService(project)?.downloadLatestRelease(force = true)
       }
 
     val ignoreAction =
-      object : AnAction("Ignore") {
-        override fun actionPerformed(e: AnActionEvent) {
-          // Update stored checksum to current file to stop warning
-          val cliFile = getCliFile()
-          if (cliFile.exists()) {
-            try {
-              pluginSettings().cliSha256 = downloader.calculateSha256(cliFile.readBytes())
-            } catch (_: Exception) {
-              // Ignore
-            }
+      NotificationAction.createSimpleExpiring("Ignore") {
+        // Update stored checksum to current file to stop warning
+        val cliFile = getCliFile()
+        if (cliFile.exists()) {
+          try {
+            pluginSettings().cliSha256 = downloader.calculateSha256(cliFile.readBytes())
+          } catch (_: Exception) {
+            // Ignore
           }
         }
       }

src/main/kotlin/io/snyk/plugin/settings/SnykProjectSettingsConfigurable.kt

@@ -8,6 +8,7 @@ import com.intellij.openapi.components.service
 import com.intellij.openapi.options.SearchableConfigurable
 import com.intellij.openapi.progress.runBackgroundableTask
 import com.intellij.openapi.project.Project
+import com.intellij.util.execution.ParametersListUtil
 import io.snyk.plugin.events.SnykProductsOrSeverityListener
 import io.snyk.plugin.events.SnykResultsFilteringListener
 import io.snyk.plugin.events.SnykSettingsListener
@@ -111,8 +112,6 @@ class SnykProjectSettingsConfigurable(val project: Project) : SearchableConfigur
     }
 
     val rescanNeeded = isCoreParamsModified()
-    val productSelectionChanged = snykSettingsDialog.isScanTypeChanged()
-    val severitySelectionChanged = snykSettingsDialog.isSeverityEnablementChanged()
 
     if (isCustomEndpointModified()) {
       settingsStateService.customEndpointUrl = customEndpoint
@@ -235,7 +234,7 @@ fun applyFolderConfigChanges(
 
   val updatedConfig =
     existingConfig.copy(
-      additionalParameters = additionalParameters.split(" ", System.lineSeparator()),
+      additionalParameters = ParametersListUtil.parse(additionalParameters),
       // Clear the preferredOrg field if the auto org selection is enabled.
       preferredOrg = if (autoSelectOrgEnabled) "" else preferredOrgText.trim(),
       orgSetByUser = !autoSelectOrgEnabled,
@@ -272,7 +271,7 @@ fun handleReleaseChannelChange(project: Project) {
   if (!pluginSettings().manageBinariesAutomatically) return
 
   ApplicationManager.getApplication().invokeLater {
-    @Suppress("CanBeVal") var notification: Notification? = null
+    var notification: Notification? = null
     val downloadAction =
       object : AnAction("Download") {
         override fun actionPerformed(e: AnActionEvent) {
@@ -287,7 +286,6 @@ fun handleReleaseChannelChange(project: Project) {
           notification?.expire()
         }
       }
-    @Suppress("AssignedValueIsNeverRead")
     notification =
       SnykBalloonNotificationHelper.showInfo(
         "You changed the release channel. Would you like to download a new Snyk CLI now?",

src/main/kotlin/io/snyk/plugin/ui/toolwindow/SnykToolWindowPanel.kt

@@ -1,7 +1,5 @@
 package io.snyk.plugin.ui.toolwindow
 
-import com.intellij.codeInsight.codeVision.CodeVisionHost
-import com.intellij.codeInsight.daemon.DaemonCodeAnalyzer
 import com.intellij.openapi.Disposable
 import com.intellij.openapi.application.ApplicationManager
 import com.intellij.openapi.application.invokeLater
@@ -12,9 +10,7 @@ import com.intellij.openapi.project.Project
 import com.intellij.openapi.ui.SimpleToolWindowPanel
 import com.intellij.openapi.util.Disposer
 import com.intellij.openapi.util.io.toNioPathOrNull
-import com.intellij.openapi.vfs.VirtualFile
 import com.intellij.openapi.wm.ex.ToolWindowManagerListener
-import com.intellij.psi.PsiManager
 import com.intellij.ui.OnePixelSplitter
 import com.intellij.ui.TreeSpeedSearch
 import com.intellij.ui.TreeUIHelper
@@ -128,11 +124,6 @@ class SnykToolWindowPanel(val project: Project) : JPanel(), Disposable {
   private val pendingReloadNodes: MutableSet<DefaultMutableTreeNode> =
     java.util.concurrent.ConcurrentHashMap.newKeySet()
 
-  // Debouncing for annotation refresh - coalesces per-file diagnostic updates
-  private val annotationRefreshAlarm = Alarm(Alarm.ThreadToUse.POOLED_THREAD, this)
-  private val pendingAnnotationRefreshFiles: MutableSet<VirtualFile> =
-    java.util.concurrent.ConcurrentHashMap.newKeySet()
-
   // Debouncing for tree refresh - coalesces rapid diagnostic updates per product
   private val treeRefreshAlarm = Alarm(Alarm.ThreadToUse.SWING_THREAD, this)
   private val pendingTreeRefreshProducts: MutableSet<LsProduct> =
@@ -148,15 +139,9 @@ class SnykToolWindowPanel(val project: Project) : JPanel(), Disposable {
     // Debounce delay in milliseconds - coalesces rapid scan updates
     private const val RELOAD_DEBOUNCE_MS = 100
 
-    // Debounce delay for annotation refresh - allows collecting multiple files
-    private const val ANNOTATION_REFRESH_DEBOUNCE_MS = 150
-
     // Debounce delay for tree refresh - allows diagnostics to accumulate before refreshing tree
     private const val TREE_REFRESH_DEBOUNCE_MS = 200
 
-    // Max files to refresh individually before falling back to global refresh
-    private const val MAX_INDIVIDUAL_ANNOTATION_REFRESH = 20
-
     val OSS_ROOT_TEXT = " " + ProductType.OSS.treeName
     val CODE_SECURITY_ROOT_TEXT = " " + ProductType.CODE_SECURITY.treeName
     val IAC_ROOT_TEXT = " " + ProductType.IAC.treeName
@@ -236,16 +221,6 @@ class SnykToolWindowPanel(val project: Project) : JPanel(), Disposable {
             snykFile: SnykFile,
             issues: Set<ScanIssue>,
           ) {
-            getSnykCachedResults(project)?.let {
-              when (product) {
-                LsProduct.Code -> it.currentSnykCodeResultsLS[snykFile] = issues
-                LsProduct.OpenSource -> it.currentOSSResultsLS[snykFile] = issues
-                LsProduct.InfrastructureAsCode -> it.currentIacResultsLS[snykFile] = issues
-                LsProduct.Unknown -> Unit
-              }
-            }
-            // Schedule debounced annotation refresh - coalesces rapid per-file updates
-            scheduleAnnotationRefresh(snykFile.virtualFile)
             // Schedule debounced tree refresh - coalesces rapid diagnostic updates per product
             scheduleDebouncedTreeRefresh(product)
           }
@@ -509,66 +484,14 @@ class SnykToolWindowPanel(val project: Project) : JPanel(), Disposable {
     }
   }
 
-  /**
-   * Schedules a debounced annotation refresh for the given file. Collects files over a short window
-   * and then refreshes them in batch.
-   */
-  private fun scheduleAnnotationRefresh(virtualFile: VirtualFile) {
-    pendingAnnotationRefreshFiles.add(virtualFile)
-    annotationRefreshAlarm.cancelAllRequests()
-    annotationRefreshAlarm.addRequest(
-      { flushPendingAnnotationRefreshes() },
-      ANNOTATION_REFRESH_DEBOUNCE_MS,
-    )
-  }
-
-  /** Flushes all pending annotation refreshes, either individually or as a global refresh. */
-  private fun flushPendingAnnotationRefreshes() {
-    if (isDisposed || project.isDisposed) return
-
-    val filesToRefresh =
-      pendingAnnotationRefreshFiles.toList().also { pendingAnnotationRefreshFiles.clear() }
-
-    if (filesToRefresh.isEmpty()) return
-
-    // Invalidate code vision for all affected files
-    invokeLater {
-      if (!project.isDisposed) {
-        project
-          .service<CodeVisionHost>()
-          .invalidateProvider(CodeVisionHost.LensInvalidateSignal(null))
-      }
-    }
-
-    // Batch all refreshes into a single invokeLater to avoid EDT queue flooding
-    invokeLater {
-      if (isDisposed || project.isDisposed) return@invokeLater
-      val analyzer = DaemonCodeAnalyzer.getInstance(project)
-
-      if (filesToRefresh.size > MAX_INDIVIDUAL_ANNOTATION_REFRESH) {
-        // Too many files - do a global refresh
-        analyzer.restart()
-      } else {
-        // Refresh each file individually within same EDT task
-        filesToRefresh.forEach { file ->
-          if (file.isValid) {
-            PsiManager.getInstance(project).findFile(file)?.let { psiFile ->
-              analyzer.restart(psiFile)
-            }
-          }
-        }
-      }
-    }
-  }
-
   /**
    * Schedules a debounced tree refresh for the given product. Collects products over a short window
    * and then refreshes them in batch. This ensures the tree stays in sync when diagnostics arrive
    * after scan completion.
    */
   private fun scheduleDebouncedTreeRefresh(product: LsProduct) {
     if (product == LsProduct.Unknown) return
-    if (htmlTreePanel != null) return
+    if (htmlTreePanel != null) return // this also covers secrets
     pendingTreeRefreshProducts.add(product)
     treeRefreshAlarm.cancelAllRequests()
     treeRefreshAlarm.addRequest({ flushPendingTreeRefreshes() }, TREE_REFRESH_DEBOUNCE_MS)
@@ -615,6 +538,7 @@ class SnykToolWindowPanel(val project: Project) : JPanel(), Disposable {
               scanListenerLS.displayIacResults(results)
             }
           }
+          LsProduct.Secrets -> Unit // we use the HTML tree for secrets
           LsProduct.Unknown -> Unit
         }
       }

src/main/kotlin/io/snyk/plugin/ui/toolwindow/SnykToolWindowSnykScanListener.kt

@@ -91,6 +91,11 @@ class SnykToolWindowSnykScanListener(
           cache?.currentIacError = null
           removeChildrenAndRefresh(rootIacIssuesTreeNode)
         }
+        LsProduct.Secrets -> {
+          cache?.currentSecretsResultsLS?.clear()
+          cache?.currentSecretsError = null
+          // no need to refresh the tree for secrets as they are not displayed in the tool window
+        }
         LsProduct.Unknown -> Unit
       }
       this.snykToolWindowPanel.updateTreeRootNodesPresentation()
@@ -110,7 +115,6 @@ class SnykToolWindowSnykScanListener(
       displaySnykCodeResults(results)
       this.snykToolWindowPanel.triggerSelectionListeners = true
     }
-    refreshAnnotationsForOpenFiles(project)
   }
 
   override fun scanningOssFinished() {
@@ -125,7 +129,6 @@ class SnykToolWindowSnykScanListener(
       displayOssResults(results)
       this.snykToolWindowPanel.triggerSelectionListeners = true
     }
-    refreshAnnotationsForOpenFiles(project)
   }
 
   override fun scanningIacFinished() {
@@ -140,7 +143,6 @@ class SnykToolWindowSnykScanListener(
       displayIacResults(results)
       this.snykToolWindowPanel.triggerSelectionListeners = true
     }
-    refreshAnnotationsForOpenFiles(project)
   }
 
   override fun scanningError(snykScan: SnykScanParams) {
@@ -156,6 +158,9 @@ class SnykToolWindowSnykScanListener(
         LsProduct.InfrastructureAsCode -> {
           removeChildrenAndRefresh(rootIacIssuesTreeNode)
         }
+        // secrets are not displayed in the tool window right now, as we want to switch to HTML Tree
+        // View
+        LsProduct.Secrets -> Unit
         LsProduct.Unknown -> Unit
       }
       snykToolWindowPanel.updateTreeRootNodesPresentation()
@@ -172,7 +177,7 @@ class SnykToolWindowSnykScanListener(
     product: LsProduct,
     snykFile: SnykFile,
     issues: Set<ScanIssue>,
-  ) {}
+  ) = Unit
 
   fun displaySnykCodeResults(snykResults: Map<SnykFile, Set<ScanIssue>>) {
     if (disposed) return