Notification Dont Show Again Visual Studio Code
Workspace Trust
Visual Studio Lawmaking takes security seriously and wants to help you safely browse and edit code no matter the source or original authors. The Workspace Trust characteristic lets you decide whether your project folders should allow or restrict automatic code execution.
Note: When in dubiousness, leave a folder in Restricted Mode. Y'all tin always enable trust later on.
Rubber lawmaking browsing
Information technology's great that in that location is then much source code available on public repositories and file shares. No thing the coding task or trouble, there is probably already a good solution bachelor somewhere. It is also nifty that there are so many powerful coding tools available to assistance you lot understand, debug, and optimize your code. Still, using open-source lawmaking and tools does have risks, and you tin can go out yourself open to malicious code execution and exploits.
Workspace Trust provides an extra layer of security when working with unfamiliar lawmaking, by preventing automatic code execution when a workspace is open up in "Restricted Mode".
Note: The terms "workspace" and "folder" are used widely in the VS Code UI and documentation. You can think of a "workspace" as a folder with extra metadata created and used by VS Lawmaking.
Restricted Mode
When prompted past the Workspace Trust dialog, if you choose No, I don't trust the authors, VS Code will become into Restricted Way to prevent code execution. The workbench will display a banner at the elevation with links to Manage your folder via the Workspace Trust editor, and Larn More about Workspace Trust (which takes you to back to this documentation).
You will also see a Restricted Way badge in the Status bar.
Restricted Mode tries to prevent automatic code execution by disabling or limiting the performance of several VS Code features: tasks, debugging, workspace settings, and extensions.
To meet the full listing of features disabled in Restricted Mode, you can open the Workspace Trust editor via the Manage link in the banner, or by clicking the Restricted Mode badge in the Status bar.
Tasks
Tasks can run scripts and tool binaries, and because chore definitions are divers in the workspace .vscode
binder, they are office of the committed source code for a repo, and shared to every user of that repo. Were someone to create a malicious task, it could be unknowningly run past anyone who cloned that repository.
If you try to run or even enumerate tasks (Terminal > Run Chore...) while in Restricted Style, VS Lawmaking will display a prompt to trust the folder and continue executing the task. Cancelling the dialog leaves VS Code in Restricted Mode.
Debugging
Similar to running a VS Lawmaking task, debug extensions can run debugger binaries when launching a debug session. For that reason, debugging is also disabled when a folder is open in Restricted Way.
If you effort to start a debug session (Run > Start Debugging) while in Restricted Manner, VS Code will brandish a prompt to trust the folder and continue launching the debugger. Cancelling the dialog leaves VS Code in Restricted Mode, and does not start the debug session.
Workspace settings
Workspace settings are stored in the .vscode
folder at the root of your workspace, and are therefore shared by anyone who clones the workspace repository. Some settings contain paths to executables (for case, linter binaries), which if ready to signal to malicious code, could do damage. For this reason, there is a set of workspace settings that are disabled when running in Restricted Fashion.
In the Workspace Trust editor, there is a link to display the workspace settings that aren't being applied. Clicking the link brings up the Settings editor scoped by the @tag:requireTrustedWorkspace
tag.
Extensions
The VS Lawmaking extensions ecosystem is incredibly rich and diverse. People accept created extensions to help with just most any programming task or editor customization. Some extensions provide total programming language support (IntelliSense, debugging, lawmaking analysis), and others let you play music or have virtual pets.
Most extensions run code on your behalf and could potentially practise harm. Some extensions have settings that could crusade them to act maliciously if configured to run an unexpected executable. For this reason, extensions that take not explicitly opted into Workspace Trust are disabled past default in Restricted Mode.
You tin can review an installed extension's status by clicking the extensions are disabled or have limited functionality link in the Workspace Trust editor, which displays the Extensions view scoped with the @workspaceUnsupported
filter.
Disabled in Restricted Mode
Extensions that accept either not explicitly indicated that they support running in Restricted Style are shown in the Disabled in Restricted Mode department. An extension writer can also indicate that they never want to be enabled in Restricted Mode if they determine that their extension could exist misused past modifications (settings or files) in a workspace.
Limited in Restricted Mode
Extension authors tin too evaluate their extensions for possible security vulnerabilities and declare that they accept express support when running in Restricted Style. This mode ways the extension may disable some features or functionality to prevent a possible exploit.
Extensions can add custom text to the Extensions view Workspace Trust bluecoat explaining the limitation when running in an untrusted folder.
For example, the VS Code congenital-in PHP extension limits the use of the php.validate.executablePath
setting to trusted folders since overriding this setting could run a malicious program.
Yous can override an extension's Workspace Trust back up level using the extensions.supportUntrustedWorkspaces
setting described in the Enabling extensions section below.
If yous try to install an extension in Restricted Way, you volition be prompted to either trust the workspace or but install the extension. If the extension doesn't support Workspace Trust, it volition exist installed, but exist disabled or running with express functionality.
Note: Extension authors can learn how to update their extensions to support Workspace Trust past reading the Workspace Trust Extension Guide.
Trusting a workspace
If y'all trust the authors and maintainers of a project, yous can trust the project'southward folder on your local automobile. For example, it is ordinarily safe to trust repositories from well-known GitHub organizations such as github.com/microsoft or github.com/docker.
The initial Workspace Trust prompt when you lot open a new folder allows y'all to trust that folder and its subfolders.
You can also bring upward the Workspace Editor and rapidly toggle a folder's trusted state.
There are several ways to bring upward the Workspace Editor dialog.
When in Restricted Mode:
- Restricted Manner banner Manage link
- Restricted Mode Condition bar particular
You can too at whatsoever time use:
- Workspaces: Manage Workspace Trust control from the Command Palette ( ⇧⌘P (Windows, Linux Ctrl+Shift+P))
- Manage Workspace Trust from the Manage gear in the Activeness bar
Selecting folders
When you trust a folder, it is added to the Trusted Folders & Workspaces list displayed in the Workspace Trust editor.
Yous tin manually add together, edit, and remove folders from this list and the active folder enabling trust is highlighted in bold.
Selecting a parent folder
When y'all trust a binder via the Workspace Trust editor, you accept the option to trust the parent folder. This will apply trust to the parent folder and all subfolders.
This can exist helpful if yous have many folders with trusted content co-located nether one folder.
When opening a subfolder under a trusted parent, you won't see the usual Don't Trust push to put you back in Restricted Style, instead there is text mentioning that your binder is trusted due to some other folder.
You tin add, modify, and remove a parent folder entry from the Trusted Folders & Workspaces listing.
Folder configurations
As mentioned above, you can trust a parent folder and all subfolders volition be trusted. This allows y'all to control Workspace Trust via a repository'due south location on disk.
For instance, you could put all trusted repos nether a "TrustedRepos" parent binder, and unfamiliar repos under some other parent folder such every bit "ForEvaluation". You would trust the "TrustedRepos" folder, and selectively trust folders under "ForEvaluation".
├── TrustedRepos - Clone trusted repositories nether this parent folder └── ForEvaluation - Clone experimental or unfamiliar repositories under this parent folder
You also group and set up trust on your repositories by group them under organization-base parent folders.
├── github/microsoft - Clone a specific organization's repositories under this parent binder ├── github/{myforks} - Place your forked repositories under this parent binder └── local - Local un-published repositories
Enabling extensions
What happens if you want to utilize Restricted Style simply your favorite extension doesn't support Workspace Trust? This can happen if an extension, while useful and functional, isn't beingness actively maintained and hasn't alleged their Workspace Trust support. To handle this scenario, you lot can override the extension's trust state with the extensions.supportUntrustedWorkspaces
setting.
Note: Exist careful overriding an extension's Workspace Trust support. It may exist that the extension writer has a good reason for disabling their extension in Restricted Mode. If in doubt, reach out to the extension author or review recent changelogs to become more context.
If you open the Settings editor ( ⌘, (Windows, Linux Ctrl+,)) and search for "trust extensions", you can find the Extensions: Support Untrusted Workspaces setting, which has an Edit in settings.json link.
Select that link and you will go to your user settings.json
file with a new entry for extensions.supportUntrustedWorkspaces
. This setting takes an object that has a list of extension IDs and their support status and version. You tin select any of your installed extensions via IntelliSense suggestions.
Below you can see a settings.json
entry for the Prettier extension.
"extensions.supportUntrustedWorkspaces" : { "esbenp.prettier-vscode" : { "supported" : truthful , "version" : "half dozen.4.0" }, },
You tin either enable or disable Workspace Trust support with the supported
attribute. The version
attribute specifies the exact extension version applicative and you can remove the version field if you want to set up the state for all versions.
If you'd like to learn more well-nigh how extension authors evaluate and make up one's mind which features to limit in Restricted Mode, you can read the Workspace Trust Extension Guide.
Opening untrusted files
If yous open a file that is located outside of a trusted folder, VS Code will detect that the file comes from somewhere exterior the folder root and prompt y'all with the option to go on to open the file or open the file in a new window in Restricted Mode. Opening in Restricted Mode is the safest pick and yous can always reopen the file in your original VS Lawmaking window in one case you determine the file is trustworthy.
If you lot would prefer to non exist prompted when opening files from outside trusted workspaces, you tin can set up security.workspace.trust.untrustedFiles
to open
. You tin can also prepare security.workspace.trust.untrustedFiles
to newWindow
to e'er create a new window in Restricted Manner. Checking the Remember my decision for all workspaces option in the untrusted files dialog applies your selection to the security.workspace.trust.untrustedFiles
user setting.
Opening untrusted folders
When working with multi-root workspaces with multiple folders, if you attempt to add a new folder to a trusted multi-root workspace, you will be prompted to make up one's mind if you trust the files in that folder or if non, the entire workspace will switch to Restricted Mode.
Empty windows (no open up folder)
Past default, if you open a new VS Lawmaking window (example) without opening a binder or workspace, VS Code runs the window with full trust. All installed extensions are enabled and yous can use the empty window without restrictions.
When you open a file, you volition be prompted whether you lot want to open up an untrusted file since at that place is no binder to parent it.
You can switch an empty window to Restricted Mode using the Workspace Trust editor (select Manage Workspace Trust from the Manage gear button or the Command Palette) and selecting Don't Trust. The empty window will remain in Restricted Mode for your current session but will go back to trusted if you lot restart or create a new window.
If you want all empty windows to be in Restricted Mode, you lot can set security.workspace.trust.emptyWindow
to false
.
Settings
Below are the available Workspace Trust settings:
-
security.workspace.trust.enabled
- Enable Workspace Trust feature. Default is truthful. -
security.workspace.trust.startupPrompt
- Whether to show the Workspace Trust dialog on startup. Default is to only bear witness one time per distinct folder or workspace. -
security.workspace.trust.emptyWindow
- Whether to always trust an empty window (no open folder). Default is true. -
security.workspace.trust.untrustedFiles
- Controls how to handle loose files in a workspace. Default is to prompt. -
extensions.supportUntrustedWorkspaces
- Override extension Workspace Trust declarations. Either true or faux. -
security.workspace.trust.banner
- Controls when the Restricted Fashion banner is displayed. Default isuntilDismissed
.
Command-line switch
You can disable Workspace Trust via the VS Code command line past passing --disable-workspace-trust
. This switch only affects the current session.
Next steps
Learn more at:
- Workspace Trust Extension Guide - Acquire how extension authors can support Workspace Trust.
- What is a VS Code "workspace"? - Find out more details well-nigh the VS Code "workspace" concept.
- GitHub Repositories extension - Work directly on a repository without cloning the source lawmaking to your local auto.
Mutual questions
Tin can I still edit my source code in Restricted Mode?
Yeah, you can still scan and edit source lawmaking in Restricted Way. Some language features may be disabled, only text editing is ever supported.
Where did my installed extensions go?
In Restricted Mode, any extension that doesn't support Workspace Trust will be disabled, and all UI elements such as Activeness bar icons and commands volition not be displayed.
You lot can override an extension's Workspace Trust support level with the extensions.supportUntrustedWorkspaces
setting merely do and so with intendance. Enabling extensions has more details.
Can I disable the Workspace Trust characteristic?
You can but it is not recommended. If yous don't want VS Code to check for Workspace Trust when opening a new folder or repository, y'all can set security.workspace.trust.enabled
to false. VS Code volition then acquit as it did earlier the 1.57 release.
How exercise I untrust a folder/workspace?
Bring upward Workspace Trust editor (Workspaces: Manage Workspace Trust from the Control Palette) and select the Don't Trust button. You lot can also remove the folder from the Trusted Folders & Workspaces list.
Why don't I run across the "Don't Trust" button?
If you don't meet the Don't Trust button in the Workspace Trust dialog, the folder'due south trust level may be inherited from a parent folder. Review the Trusted Folders & Workspaces list to check if a parent binder has enabled Workspace Trust.
Some workflows such as connecting to a GitHub Codespace or attaching to a running Docker container are automatically trusted since these are managed environments to which you should already have a loftier level of trust.
What does Workspace Trust protect against?
Many features of VS Code permit third-party tools and extensions to run automatically, such as linting or format on salvage, or when y'all do certain operations like compiling lawmaking or debugging. An unethical person could craft an innocent looking projection that would run malicious code without your noesis and harm your local automobile. Workspace Trust provides an extra layer of security past trying to forbid code execution while you are evaluating the safety and integrity of unfamiliar source code.
Source: https://code.visualstudio.com/docs/editor/workspace-trust