Developer Tools

VS Code Security

Protect your development environment. Security settings, extension risks, and best practices for VS Code users.

Get Starter Scan

Security Risks

Malicious Extensions

Extensions have broad access to your system and code. Malicious or compromised extensions can steal credentials, inject code, or compromise your machine.

Mitigation: Only install extensions from trusted publishers. Check ratings and reviews. Audit extension permissions.

Workspace Trust Issues

Opening untrusted code can execute tasks, run debuggers, or trigger extensions that auto-execute code.

Mitigation: Enable Workspace Trust. Don't trust repositories you haven't audited. Review workspace settings files.

Terminal Command Exposure

Integrated terminal history, commands, and output may contain secrets that get logged or shared.

Mitigation: Be careful with terminal history. Don't paste secrets into terminal. Clear sensitive commands.

Settings Sync Risks

Settings sync can synchronize secrets, tokens, or sensitive configurations across devices.

Mitigation: Review what's being synced. Exclude sensitive settings. Use different profiles for sensitive work.

Recommended Security Settings

Workspace Trust

Prompts before trusting new workspaces

Security: Workspace Trust
Enabled
Extension Verification

Verify extension signatures

Extensions: Verify Signature Before Install
On
Untrusted File Mode

Restrict capabilities in untrusted files

Security: Restrict Mode
Restricted
Terminal Command Echo

Be cautious about terminal command suggestions

Terminal: Integrated Shell Args
Careful

Extension Security Checklist

  • Check publisher verification badge
  • Review number of downloads and ratings
  • Read recent reviews for security concerns
  • Check when it was last updated
  • Review the permissions requested
  • Look at the GitHub repository for activity
  • Be cautious of extensions requesting unusual permissions
  • Remove extensions you no longer use

Get Starter Scan

A secure editor is just the start. Make sure the code you write (or AI generates) is secure too.

Get Starter Scan

Frequently Asked Questions

Are VS Code extensions safe?

Not automatically. Extensions have significant access to your system. Most popular extensions from verified publishers are safe, but there have been cases of malicious extensions in the marketplace. Always verify publishers, check ratings, and be cautious about what you install.

What is Workspace Trust and should I use it?

Workspace Trust is a VS Code feature that restricts certain capabilities until you explicitly trust a workspace. This prevents malicious repos from auto-executing code. Yes, you should enable it—especially when opening code from untrusted sources.

Can VS Code extensions steal my credentials?

Yes, extensions with sufficient permissions can access files, terminals, and the network. A malicious extension could read .env files, capture terminal output, or exfiltrate data. Only install extensions you trust, and audit what you have installed.

How do I audit my installed extensions?

Go to Extensions panel, review each installed extension. Check: Is the publisher verified? When was it last updated? Does it have suspicious permissions? Remove any you don't recognize or use. Consider using extension packs from trusted publishers.

Is VS Code more secure than Cursor or other editors?

VS Code has a more mature security model with Workspace Trust and extension verification. Cursor (a VS Code fork) inherits these but adds AI features that introduce their own risks. Any editor with extensions/plugins has similar trust considerations.

Related Resources

Is Cursor Safe?Cursor Agent SecurityVibe Coding ToolsAgentic Coding Security

Last updated: January 16, 2026