There is a growing problem with VSCode extensions:<p>- they're not sandboxed (yet) - just like double-clicking an .exe file
- they don't have a permission model
- they auto update
- they have built-in persistence
- they are installed on developer machines with high-value credentials<p>The recent CircleCI and LastPass incidents were both suspected to originate from a compromised developer machine - which is becoming every organization's Achilles heel in terms of cyber posture<p>So I've been working on a way to help mitigate some of these risks<p>Right now, only an MVP of a "CLI" is available:<p>$ code --list-extensions --show-versions | curl --data-binary @- https://coderguard.io/scan<p>Which will list your installed extensions with some enriched information to vet their trustfulness<p>But much more detailed threat intel will be shown in the upcoming website and extension, including
- Behavioural data gathered from running the extension on an instrumented sandbox environment
- The ability to define policies to allow or block extension installs/updates, based on your specific risk appetite<p>For updates, sign up at https://coderguard.io or follow https://twitter.com/coderguard<p>The reason I'm posting this now is because I'd like to get some feedback in order to course-correct to make sure what I build actually solves people's problems<p>I'd be happy to read any comments, or answer any questions
Very cool! I've built something similar, but for packages: <a href="https://github.com/ossillate-inc/packj">https://github.com/ossillate-inc/packj</a> Would love to talk.
I don't know how adequate such vetting is. It puts the onus on the developers to look at the results and decide. Is there work being done to sandbox extensions?