Visual Studio Code takes security seriously and wants to help you browse and edit code securely, regardless of the source or original authors. The Workspace Trust feature allows you to decide whether code in your VS Code and extensions project folder can run without your explicit consent.
note: When in doubt, leave a folder inRestricted mode. you can alwaysenable trustlater.
Secure Code Browsing
It's great that so much source code is available on public repositories and file shares. No matter the coding task or problem, there's probably already a good solution out there somewhere. It's also great that there are so many powerful coding tools to help you understand, debug, and optimize your code. However, using open-source code and tools carries risks, and you can expose yourself to malicious code and exploits being executed.
Workspace Trust provides an extra layer of security when working with unfamiliar code by preventing code from running automatically in your workspace when the workspace is open in "restricted mode".
note: The terms "workspace" and "folder" are used a lot in the VS Code UI and documentation. You can think of one"Workplace"as a folder with additional metadata created and used by VS Code.
Restricted mode
When prompted by the Workspace Trust dialog box, if you wishNo, I don't trust the authors, VS Code enters restricted mode to prevent code execution. The workbench displays a banner with links to at the topAdministerYour folder through the Workspace Trust Editor andLearn morevia Workspace Trust (which takes you back to this documentation).
You will also see a restricted mode badge in the status bar.
Restricted mode attempts to prevent automatic code execution by disabling or restricting the operation of several VS Code features: tasks, debugging, workspace settings, and extensions.
To view the full list of features disabled in Restricted Mode, you can open the Workspace Trust Editor viaAdministerLink in banner or by clicking the Restricted Mode badge in the status bar.
note: Workspace Trust cannot prevent a malicious extension from running and ignoring codeRestricted mode. You should only install and run extensions from a well-known publisher that you trust.
Tasks
Tasksscripts and tool binaries, and because task definitions are defined in the workspace.vscodeFolders, they are part of the committed source code for a repo and are shared with every user of that repo. If someone were to create a malicious task, it could be run unnoticed by anyone who cloned that repository.
When trying to perform or even enumerate tasks (Terminal>Execute task...) in restricted mode, VS Code displays a prompt to trust the folder and continue executing the task. Canceling the dialog keeps VS Code in restricted mode.
Debugging
Similar to running a VS Code task, debugging extensions can run debugger binaries when starting a debugging session. For this reason,Debuggingis also disabled when a folder is open in restricted mode.
If you try to start a debug session (Run>Start debugging) in restricted mode, VS Code displays a prompt to trust the folder and continue launching the debugger. Canceling the dialog leaves VS Code in restricted mode and does not start the debugging session.
Workspace Settings
WorkplaceIdeasare stored in.vscodeFolders at the root of your workspace and are therefore shared by anyone who clones the workspace repository. Some settings contain paths to executable files (e.g. linter binaries) that could cause harm if they point to malicious code. Because of this, there are a number of workspace settings that are disabled when running in restricted mode.
In the workspace trust editor there is a link to view the workspace settings that are not applied. When you click the link, the settings editor will appear in the area of@tag:requireTrustedWorkspaceSign.
extensions
The VS CodeextensionsEcosystem is incredibly rich and diverse. People have created extensions to help with almost any programming task or editor customization. Some extensions offer full programming language support (IntelliSense, debugging, code analysis), and others allow playing music or virtual contentpets.
Most extensions run code on your behalf and could potentially cause harm. Some extensions have settings that can cause them to behave maliciously if they are configured to run an unexpected executable. Because of this, extensions that have not explicitly opted in to Workspace Trust are disabled by default in Restricted Mode.
You can check the status of an installed extension by clickingExtensions are disabled or have limited functionality-Link in the Workspace Trust editor that displays the Extensions view with the scope@workspaceUnsupportedFilter.
Disabled in restricted mode
Extensions that either have not explicitly stated that they support running in restricted mode are displayed in theDisabled in restricted modeSection. An extension author can also indicate that they never want to be activated in restricted mode if they determine that their extension could be abused by changes (settings or files) in a workspace.
Restricted in restricted mode
Extension authors can also check their extensions for possible security vulnerabilities and declare that they existlimitedSupport running in restricted mode. This mode means that the extension can disable some features or functionality to prevent a possible exploit.
Extensions can add custom text to the Workspace Trust badge in the extensions view explaining the restriction when running in an untrusted folder.
For example, the PHP extension built into VS Code restricts the use ofphp.validate.executablePathset to trusted folders, as overriding this setting could run a malicious program.
You can override an extension's Workspace Trust support level using theextensions.supportUntrustedWorkspacesSetting described in theEnable Extensionssection below.
If you try to install an extension in restricted mode, you will be prompted to either trust the workspace or just install the extension. If the extension does not support Workspace Trust, it will be installed but disabled or run with reduced functionality.
note: Extension authors can learn how to update their extensions to support Workspace Trust by reading theWorkspace Trust Extension-Leitfaden.
Trust a workspace
If you trust a project's authors and maintainers, you can trust the project's folder on your local computer. For example, it's usually safe to trust repositories from well-known GitHub organizations like github.com/microsoft or github.com/docker.
The initial Workspace Trust prompt when opening a new folder allows you to trust that folder and its subfolders.
You can also bring up the workspace editor and quickly toggle a folder's trusted status.
There are several ways to access the Workspace Editor dialog box.
In restricted mode:
- Restricted mode bannerAdministershortcut
- Restricted mode status bar item
You can also use anytime:
- Workspaces: Manage workspace trustcommand from the command palette (β§βS(Windows, LinuxCtrl+Shift+P))
- Manage workspace trustof theAdministerGear in the activity bar
Select folder
If you trust a folder, it will be added to itTrusted folders and workspacesList displayed in the Workspace Trust Editor.
You can manually add, edit, and remove folders from this list, and the active folder that enables the trust relationship will be highlighted in bold.
Choosing a parent folder
When you trust a folder through the Workspace Trust Editor, you have the option to trust the parent folder. This will apply trust to the parent folder and all subfolders.
This can be useful if you have many folders with trusted content in one folder.
When you open a subfolder under a trusted parent folder, you don't see the usualdon't trustButton to put you back into restricted mode, instead there is text mentioning that your folder is trusted because of another folder.
You can add, change, and remove a parent folder entryTrusted folders and workspacesList.
folder configurations
As mentioned above, you can trust a parent folder and all subfolders are trusted. This allows you to control workspace trust based on the location of a repository on disk.
For example, you could put all trusted repositories in a parent folder "TrustedRepos" and unknown repositories in another parent folder like "ForEvaluation". You would trust the TrustedRepos folder and selectively trust folders under ForEvaluation.
βββ TrustedRepos - Clone trusted repositories under this parent folderβββ ForEvaluation - Clone experimental or unknown repositories under this parent folderYou can also group and trust your repositories by grouping them under parent folders on an organizational basis.
βββ github/microsoft - Clone a specific organization's repositories under this parent folder βββ github/{myforks} - Place your forked repositories under this parent folder βββ local - Local unpublished repositoriesEnable Extensions
What if you want to use restricted mode but your favorite extension doesn't support Workspace Trust? This can happen when an extension is useful and functional but is not actively maintained and has not declared its Workspace Trust support. To handle this scenario, you can override the extension's trust state with theextensions.supportUntrustedWorkspacesAttitude.
note: Be careful when overriding an extension's Workspace Trust support. It may be that the author of the extension has a good reason to disable their extension in restricted mode. If in doubt, contact the extension author or check the recent changelogs for more context.
When you open the settings editor (β,(Windows, Linuxctrl+,)) and search for "trust extensions", you will find theEnhancements: Support for untrusted workspacesattitude that one hasEdit in settings.jsonShortcut.
Select this link and you will get to your usersettings.jsonFile with a new entry forextensions.supportUntrustedWorkspaces. This setting uses an object that contains a list of extension IDs and their support status and version. You can choose any of your installed extensions via IntelliSense suggestions.
You can see one belowsettings.jsonEntry for the Prettier extension.
"extensions.supportUntrustedWorkspaces": { "esbenp.prettier-vscode": { "supports":TRUE, "Execution":"6.4.0"},},You can either enable or disable Workspace Trust support withsupportsAttribute. Theexecutionattribute specifies the exact applicable extension version, and you can remove the version field if you want to set the status for all versions.
If you want to learn more about how extension authors evaluate and determine which features to restrict in restricted mode, you can read theWorkspace Trust Extension-Leitfaden.
Opening untrusted files
If you open a file that is outside of a trusted folder, VS Code will detect that the file came from somewhere outside the folder root and prompt you to open the file further or open the file in a new window in Restricted mode . Opening in restricted mode is the safest option, and you can always reopen the file in your original VS Code window once you determine that the file is trusted.
If you don't want to be prompted when opening files outside of trusted workspaces, you can set thissecurity.workspace.trust.untrustedFilesToopen. You can also adjustsecurity.workspace.trust.untrustedFilesTonew windowto always create a new window in restricted mode. Check theRemember my decision for all areas of workThe option in the Untrusted Files dialog box applies your selection to thesecurity.workspace.trust.untrustedFilesuser settings.
Open untrusted folders
When working withMulti-root workspacesWith multiple folders, if you try to add a new folder to a trusted multi-root workspace, you will be prompted to decide whether to trust the files in that folder, or if not, the entire workspace will enter restricted mode.
Empty windows (no open folder)
When you open a new VS Code window (instance) without opening a folder or workspace, VS Code runs the window with full trust by default. All installed extensions are activated and you can use the blank window without restrictions.
When you open a file, you'll be asked if you want to open oneuntrusted filesince there is no parent folder.
You can open a blank window with the Workspace Trust editor (selectManage workspace trustof theAdministergear button or the command palette) and selectdon't trust. The blank window remains in restricted mode for your current session, but reverts back to trusted when you restart or create a new window.
If you want all blank windows to be in restricted mode, you can set thatsecurity.workspace.trust.emptyWindowToINCORRECT.
Ideas
Below are the available Workspace Trust settings:
security.workspace.trust.enabled- Enable Workspace Trust feature. default is true.security.workspace.trust.startupPrompt- Whether to show the Workspace Trust dialog at startup. By default, only appears once per folder or workspace.security.workspace.trust.emptyWindow- Whether to always trust an empty window (no open folder). default is true.security.workspace.trust.untrustedFiles- Controls handling of loose files in a workspace. Default is Command Prompt.extensions.supportUntrustedWorkspaces- Override extension workspace trust declarations. Either true or false.security.workspace.trust.banner- Controls when the restricted mode banner is shown. default isuntil dismissal.
command line switches
You can disable workspace trust from the VS Code command line by passing--disable-workspace-trust. This switch only affects the current session.
Next Steps
Learn more at:
- Workspace Trust Extension-Leitfaden- Learn how extension authors can support Workspace Trust.
- What is a VS Code "workspace"?- Learn more about the VS Code "workspace" concept.
- GitHub repositories extension- Work directly on a repository without cloning the source code to your local machine.
Frequently Asked Questions
Can I still edit my source code in restricted mode?
Yes, you can still browse and edit the source code in restricted mode. Some language features may be disabled, but text editing is always supported.
Where have my installed extensions gone?
In restricted mode, all extensions that don't support Workspace Trust are disabled and all UI elements such as activity bar icons and commands are not displayed.
You can override an extension's Workspace Trust support level withextensions.supportUntrustedWorkspacessetting, but do so with care.Enable Extensionshas more details.
Can I turn off the Workspace Trust feature?
You can, but it's not recommended. If you don't want VS Code to check for workspace trust when opening a new folder or repository, you can set thatsecurity.workspace.trust.enabledtoo wrong. VS Code will then behave as it did before version 1.57.
How do I untrust a folder/workspace?
Go to the Workspace Trust Editor (Workspaces: Manage workspace trustfrom the command palette) and select itdon't trustButton. You can also remove the folder from theTrusted folders and workspacesList.
Why can't I see the Don't Trust button?
If you don't see themdon't trustbutton in the Workspace Trust dialog box, the folder's trust level can be inherited from a parent folder. Check theTrusted folders and workspacesList to check if a parent folder has workspace trust enabled.
Some workflows like connecting to aGitHub-CodespaceorAttaching to a running Docker containerare automatically trusted because they are managed environments that you should already have a high level of trust.
What does Workspace Trust protect against?
Many features of VS Code enable the automatic execution of third-party tools and extensions, e.g. B. Linting or formatting when saving or when performing certain operations such as compiling code or debugging. An unethical person could create an innocent looking project that executes malicious code without your knowledge and corrupts your local computer. Workspace Trust provides an additional layer of security by attempting to prevent code execution while assessing the security and integrity of unknown source code.
2.2.2023