Visit WebsiteRaise a Support TicketBook a Meeting

Workspace Trust in OpenVSCode Server

Overview

OpenVSCode Server, like Visual Studio Code, provides a secure editing environment by introducing the concept of Workspace Trust. This mechanism protects developers from unintentionally executing unsafe code when opening a folder that contains files authored by unknown or untrusted sources.

When you open a folder, OpenVSCode Server prompts you to indicate whether you trust the authors of the files in that folder. Your choice determines whether the workspace runs in Trusted Mode (all features enabled) or Restricted Mode (limited, safe execution).

Why Workspace Trust Matters

Modern code editors provide advanced features that may automatically execute or interpret files in your workspace. Examples include:

  • Tasks and Build Scripts – e.g., tasks.json running shell commands.

  • Debug Configurations – e.g., launch.json triggering executables.

  • Extensions – some extensions can execute workspace-specific code.

  • Settings and Code Snippets – workspace-level configuration can alter execution environments.

If these features run on untrusted code, they could compromise the host system, leak credentials, or introduce malicious behavior. Workspace Trust ensures security-first execution.

Trust States

There are two main trust states:

1. Trusted Mode

  • All editor features are enabled.

  • Workspace-specific settings, extensions, tasks, and debugging configurations are active.

  • Intended for codebases you authored, or repositories you trust.

2. Restricted Mode

  • Editor enters a locked-down state.

  • The following are disabled or limited:

    • Execution of workspace tasks and launch configurations.

    • Automatic activation of workspace-reliant extensions.

    • Certain APIs that extensions may call.

    • Access to workspace-level settings that could affect security.

  • Safe for exploring third-party or unknown codebases.

You can always upgrade a workspace from Restricted to Trusted after verifying the files.

Trust Prompt Explained

When you open a new folder, OpenVSCode Server displays a trust dialog with options:

  • Yes, I trust the authors Enables trusted mode for the current folder.

  • No, I don’t trust the authors Opens the workspace in restricted mode.

  • Trust the authors of all files in the parent folder Extends trust to the parent directory (and all subdirectories). Useful for project structures under a common root like ~/Projects/.

Example:

If you open:

~/RakeshTigadi/cold-call-sentiment-analysis

and select Trust parent folder, then the entire ~/RakeshTigadi/ tree is trusted.

Security Model and Enforcement

The trust system in OpenVSCode Server is built on three principles:

  1. Least Privilege by Default Unknown code is opened in restricted mode unless explicitly trusted.

  2. Granular Control Trust can be applied at the folder or parent-folder level.

  3. Transparency The editor clearly indicates when restricted mode is active and lists which features are unavailable.

Restricted mode enforcement includes:

  • Blocking execution of code in tasks.json and launch.json.

  • Preventing execution of workspace npm/yarn/pip scripts via VSCode tasks.

  • Disabling extension APIs that rely on workspace execution.

  • Not loading workspace settings that could alter environment behavior.

Managing Trust Settings

You can manage trust at any time:

  • Status Bar Indicator Restricted Mode is shown in the status bar. Click to manage trust.

  • Command Palette (Ctrl+Shift+P / Cmd+Shift+P) Run: Workspaces: Manage Workspace Trust.

  • Settings File Trust decisions are stored in user configuration and can be reset if needed.

Best Practices

  • Trust only code you control: Personal or organizational repositories.

  • Review before trusting: For open-source code, inspect scripts and configs.

  • Default to Restricted: When uncertain, start in restricted mode.

  • Use Parent Folder Trust: For monorepos or structured org folders.

  • Audit Extensions: Only enable extensions you trust, as they can execute code.

Example Scenarios

  1. Personal Project You open your own repository → Safe to trust authors.

  2. Organizational Repo Open a company-managed Git repo → Trust if policies validate it.

  3. Open-Source Contribution Opening a random GitHub project → Start in restricted mode, review code, then trust if needed.

  4. Shared Workspace Folder downloaded via email/zip → Use restricted mode until you verify contents.

References

FAQ

Q. Can I still edit files in Restricted Mode? Yes. You can view, edit, and save files normally. Only execution-related features are disabled.

Q. Will extensions work in Restricted Mode? Only extensions that don’t require workspace execution will run. Others will remain disabled until trust is granted.

Q. Can I change my decision later? Yes, you can always manage trust from the status bar or Command Palette.

Q. Is trusting a folder permanent? Trust is remembered until you explicitly revoke it or reset trust settings.

PreviousKSQLNextConnectors in Condense

Last updated

Was this helpful?