Visual Studio Code v1.57 launched in May 2021 with a new “Workspace Trust” feature. This is a security mechanism which helps you avoid accidental code execution when you can’t trust a repository’s origins.

Workspace Trust is active by default. When you open a new folder, Code will display a dialog asking you to trust the files within. If you say yes, the editor will function normally. If you press no, Code will enter a new “restricted mode” with reduced functionality.

What Gets Disabled In Restricted Mode?

Restricted Mode is meant to prevent untrusted code from running. Visual Studio features which execute files will be disabled to help protect you against threats you’ve not fully vetted.

Debugging features are turned off, preventing you from accidentally launching a downloaded executable. Visual Studio will also disable tasks defined in the workspace file. Tasks in a .vscode file can run binaries and scripts, so a repo containing one is a security risk.

Any user extensions which could run code will be disabled or placed into a limited functionality state. Some workspace settings might be overridden too, to limit the reach of downloaded .vscode files.

Using Restricted Mode lets you inspect critical portions of a newly downloaded project. You get an opportunity to verify there’s no suspect behaviors, without risking actual code execution. Once you exit Restricted Mode, your regular settings will be applied and debugging will be reactivated.

When Workspace Trust is enabled, you’ll see a prompt each time you open a new folder in an untrusted location. You’ll need to choose whether to enable all features or open the workspace in Restricted Mode.

Why Bother?

Visual Studio Code has evolved into a powerful code editor with support for thousands of extensions. Many of these third-party tools run automatically and add themselves into your workspace settings file. This file is often committed to source control so it can be shared with team members.

It’s conceivable that a crafty bad actor could create a repository that looks genuine but which runs malicious code when it’s loaded into the editor. Workspace Trust is a response to this possibility. It gives you greater safety when you’re inspecting open-source software and other code received from third parties.

Disabling Workspace Trust

Workspace Trust helps you avoid potentially dangerous unintended code executions. Using the feature gives you an extra defense layer against unfamiliar repositories. Nonetheless, you might find the prompts annoying if you regularly consume code from new sources.

You can disable Workspace Trust entirely by setting the security.workspace.trust.enabled setting to false. You can find this in the UI by clicking File > Preferences > Settings and searching for “workspace trust”. The checkbox will show up as “Security > Workspace > Trust: Enabled”. If you only want a one-time launch without Workspace Trust, add the –disable-workspace-trust command line flag.

Customizing Workspace Trust

Workspace Trust offers a few settings to let you fine-tune its behavior. Use the procedure described above to view the Workspace Trust settings in the UI.

“Empty Window” controls what happens when you’re using a window with no open folders. When the checkbox is filled, the window will be treated as trusted by default. Otherwise, you’ll need to manually trust it like a regular folder.

The “Untrusted Files” setting defines what happens if you File > Open a file from an untrusted location while in a trusted window. The default behavior is to prompt before continuing. You can change this to always open the file or force it into a new window that’s automatically untrusted.

Another setting lets you override how extensions respond to Workspace Trust. This must be set manually in your settings.json file. Add an extensions.supportUntrustedWorkspaces key with a JSON object as its value. Add extension IDs as keys in this object. Each extension can have true, limited or false as its value.

An extension listed as true will always be enabled, even in an untrusted workspace. Extensions with false will only load in trusted workspaces. limited extensions will be added to untrusted workspaces but with “trusted” functionality disabled. You won’t be able to use tasks provided by these extensions.

Managing Trusted Folders

You can view and manage folders you’ve marked as trusted from within Visual Studio Code. Press Ctrl+Shift+P to bring up the Command Palette. Search for “workspace trust” and select the “Workspaces: Manage Workspace Trust” item from the menu.

This screen shows the trust status of your current window. You can switch to Restricted Mode by pressing “Don’t Trust.” Alternatively, press the “Trust” button to enable all features if you’re currently in a restricted state.

The “Trusted Folders & Workspaces” section enumerates all the directories which you’ve marked as trusted. You can revoke a location’s trust by clicking it and pressing the delete “X” button on the right.

Trust is inherited by all sub-directories. Trusting a top-level folder such as /home/me/projects will mean all your repositories are automatically trusted. This compromises the effectiveness of the Workspace Trust system.

Conclusion

Workspace Trust is a promising new security protection for Visual Studio Code users. The dangers of unintentional code execution by IDEs are only just starting to gain visibility. While some might find trust prompts frustrating, they could help protect your machine from dangerous sources.

It’s unlikely you’ll want a workspace to stay in Restricted Mode for an extended time. Although you can still view and edit files, you’ll lose many of Visual Studio Code’s most powerful features. It’s best to review executables, build scripts and .vscode files in a repository, check for any hazards, and then trust the location once you’re sure it’ll behave as expected.