VS Code workspace trust feature allows users to control execution permissions of code and extensions in the workspace, improving the security of the development environment.
Workspace Trust Concepts
Trust Levels
- Trusted Workspace: Allows all features, including automatic task execution, extension activation, etc.
- Untrusted Workspace: Limits certain features to prevent potential security risks
Security Risks
- Malicious code execution
- Automatic task execution
- Extension activation
- Workspace settings modification
Workspace Trust Configuration
Global Trust Settings
{ "security.workspace.trust.enabled": true, "security.workspace.trust.banner": "always", "security.workspace.trust.startupPrompt": "always", "security.workspace.trust.untrustedFiles": "open" }
Workspace Trust Status
- Trusted: Shows green shield icon
- Untrusted: Shows red shield icon
- Unknown: Shows gray shield icon
Trusting Workspace
Manually Setting Trust
- Click shield icon in status bar
- Select "Trust workspace"
- Confirm trust settings
Trust Options
- Trust the authors of all files in the parent folder: Trust all files in parent folder
- Trust the authors of the files in the current workspace: Only trust current workspace
Untrusted Workspace Limitations
Feature Limitations
- Disable automatic task execution
- Disable activation of certain extensions
- Limit application of workspace settings
- Disable debugger startup
Restricted Features List
- Automatic task execution
- Automatic extension activation
- Workspace settings
- Debug configuration
- Preview features
File Trust Settings
File Trust Levels
{ "security.workspace.trust.untrustedFiles": "open" }
Option Descriptions
open: Allow opening untrusted filesnewWindow: Open untrusted files in new windowprompt: Prompt every time
Extension Trust
Extension Trust Policy
{ "extensions.autoUpdate": false, "extensions.autoCheckUpdates": false }
Extension Security Check
- Check extension source
- Verify extension signature
- Review extension permissions
- Assess extension risk
Workspace Settings Security
Trusted Workspace Settings
{ "terminal.integrated.cwd": "${workspaceFolder}", "terminal.integrated.env.windows": { "PATH": "${env:PATH};C:\\custom\\path" } }
Untrusted Workspace Limitations
- Ignore certain configurations in workspace settings
- Limit terminal environment variables
- Disable automatic task execution
Security Best Practices
Trust Policy
- Only trust trusted workspaces
- Regularly review list of trusted workspaces
- Be cautious with projects from unknown sources
- Use version control to verify code source
Extension Security
- Only install extensions from official marketplace
- Check extension reviews and download counts
- Review extension permission requests
- Regularly update extensions
Code Security
- Use .gitignore to exclude sensitive files
- Don't commit configuration files containing keys
- Use environment variables to store sensitive information
- Regularly review dependencies
Workspace Trust API
Checking Trust Status in Extensions
const isTrusted = vscode.workspace.isTrusted; if (isTrusted) { // Execute operations requiring trust vscode.tasks.executeTask(task); } else { vscode.window.showWarningMessage('Workspace is not trusted'); }
Listening to Trust Status Changes
vscode.workspace.onDidChangeTrust(isTrusted => { if (isTrusted) { console.log('Workspace is now trusted'); } else { console.log('Workspace is no longer trusted'); } });
Important Notes
- Workspace trust does not affect user settings
- Trust settings are persistent
- Team collaboration should unify trust policy
- Regularly review trusted workspaces
- Pay attention to feature limitations in untrusted workspaces