Security

AI-powered development capabilities can autonomously perform different development tasks, which might have significant security implications. In this article, you'll learn about VS Code's built-in security protections, the risks to be aware of, and how to configure your environment for safe AI-assisted development.

Recommended security baseline

Use the following checklist to set up a secure starting point for AI-assisted development. Each step links to detailed information later in this article.

1. Open untrusted projects in restricted mode. Until you've reviewed a project for malicious content, rely on the Workspace Trust boundary. Restricted mode disables agents in that workspace.

2. Enable agent sandboxing. On macOS and Linux (WSL2 on Windows), enable chat.tools.terminal.sandbox.enabled Open in VS Code Open in VS Code Insiders to restrict file system and network access for agent-executed commands. Learn more about agent sandboxing.

3. Review all file edits before accepting. Use the diff editor to inspect proposed changes. Keep or undo individual changes before they are applied.

4. Protect sensitive files. Configure chat.tools.edits.autoApprove Open in VS Code Open in VS Code Insiders with glob patterns (for example, "**/.env": false) to require manual approval for edits to sensitive files. Learn more about protecting sensitive files.

5. Keep auto-approval scoped to the session. Grant tool and terminal permissions at the session level rather than workspace or user level. This limits the duration of elevated trust.

6. Review MCP servers before trusting them. Verify that MCP servers come from a trustworthy source and review their configuration before starting them.

Trust boundaries

VS Code's security model uses trust boundaries to limit the potential impact of untrusted code. Each trust boundary requires explicit consent before it is considered trusted:

• Workspace: controls whether VS Code enables features like tasks, debugging, and workspace settings that can execute code from the project. An untrusted workspace runs in restricted mode, which also disables agents.
• Extension publisher: controls whether extensions from a given publisher can be installed and run. VS Code prompts you to trust the publisher before activating their extensions.
• MCP server: controls whether an MCP server can start and provide tools. VS Code prompts you to trust each MCP server before it runs, and re-prompts after configuration changes.
• Network domain: controls whether the agent can fetch content from a URL. VS Code prompts you to trust a domain before making requests to it, integrated with the Trusted Domains list. You can also enable chat.agent.networkFilter Open in VS Code Open in VS Code Insiders This setting is managed at the organization level. Contact your administrator to change it.ORG to restrict which domains agent tools (fetch tool, integrated browser) and sandboxed terminal commands can access. Learn more about network filtering.

You can revoke trust at any time through dedicated commands in the Command Palette.

How VS Code protects your environment

VS Code includes several built-in security protections to provide visibility into sensitive operations, limit the scope of actions, and help prevent unintended consequences.

Scope and isolation

VS Code limits the potential impact of agent actions by controlling their scope of operation.

• Workspace-limited file access: Built-in agent tools can only read and write files within the current workspace folder. You can optionally grant read-only access to additional folders with the chat.additionalReadAccessFolders Open in VS Code Open in VS Code Insiders setting.

• Tools picker: You can selectively enable or disable specific tools using the tools picker, giving you precise control over what capabilities are available to the AI agent.

• Session isolation: You can grant permissions that are temporary and don't persist beyond the current session. This enables you to experiment with AI capabilities while maintaining long-term security boundaries.

• Request limits: Built-in safeguards prevent runaway operations that consume excessive resources or perform unintended bulk actions on your codebase.

• Agent isolation: Background agents work in a separate Git worktree, preventing conflicts with your active workspace. They have limited tool access and can only use local MCP servers that don't require authentication. Cloud agents run on remote infrastructure, which provides inherent isolation from your local machine and local resources.

• Secure secrets store: Sensitive input parameters for MCP servers are stored using VS Code's secure credentials store to protect authentication tokens and other sensitive data.

• MCP authentication: VS Code implements the MCP authorization specification to enable OAuth authentication between VS Code and external tools and services.

Approvals and review

VS Code uses a permission-based security model where you maintain control over potentially risky operations.

• Permission levels: The permissions picker in the Chat view lets you choose a permission level for the current session. Default Approvals uses your configured approval settings. Bypass Approvals auto-approves all tool calls. Autopilot auto-approves all tools and drives the agent to continue working until the task is complete.

• Terminal approval: Before executing terminal commands, the agent requests explicit user approval. When terminal auto-approval is enabled, configurable per-command rules (including regex patterns) auto-approve safe commands while prompting for potentially dangerous ones. All subcommands in a compound command must match an approved rule.

• Tool approval: MCP tool invocations require explicit user approval, which you can grant at different scopes: session-level for temporary access, workspace-level for project-specific trust, or user-level for broader permissions.

• URL and domain approval: When the agent fetches content from a URL, VS Code uses a two-step approval flow. First, it asks you to trust the domain (integrated with the Trusted Domains list). Then, after the content is fetched, it presents the content for review before it is passed to the model.

• Review flow for file changes: You can review all suggested changes in a diff editor before they are applied. Keep or undo individual changes for granular control over what modifications are made to your codebase.

• Auto-approval notifications: When a tool or terminal command is automatically approved, VS Code shows an information message and a link to the configuration setting that enabled it.

• Warning banners: When advanced modes bypass normal safety checks, VS Code displays clear warning banners and requires explicit consent.

Learn more about tool and command approval.

Agent sandboxing (Preview)

Agent sandboxing uses OS-level isolation to restrict what agent-executed processes can access on your machine. Rather than relying solely on approval prompts, sandboxing enforces strict file system and network boundaries at the kernel level, so commands cannot access resources outside the permitted scope, even if they are approved. For a deeper look at how sandboxing works and the OS-level enforcement details, see Agent sandboxing.

MCP server sandboxing

On macOS and Linux, you can enable sandboxing for locally-running MCP servers that use the stdio transport. When sandboxing is enabled, the server can only access the file system paths and network domains that you explicitly permit in the sandbox configuration. Tool calls from sandboxed servers are auto-approved because they run in a controlled environment.

Learn more about configuring MCP server sandboxing.

Security risks to be aware of

AI-powered development introduces specific security risks. The sections below describe each risk category and how VS Code addresses it. Expand a section for details.

Hooks

Agent hooks enable you to execute custom shell commands at key lifecycle points during agent sessions. Unlike instructions or prompts that guide agent behavior, hooks run deterministically with guaranteed outcomes, making them suitable for enforcing security policies.

• Block dangerous operations: Use PreToolUse hooks to intercept tool invocations and block dangerous commands (for example, rm -rf or DROP TABLE) before they execute, regardless of how the agent was prompted.
• Control approvals: Hooks can return allow, deny, or ask decisions to automatically approve safe operations or require confirmation for sensitive ones.
• Create audit trails: Log every tool invocation, command execution, or file change for compliance and debugging purposes.

Enterprise policies

Organizations can implement centralized security controls to manage AI-assisted development capabilities across their development teams. Key AI-specific policies include:

• Disable agents: Prevent the use of agent mode entirely with the ChatAgentMode policy.
• Restrict extension tools: Block extension-contributed tools while keeping built-in and MCP tools with the ChatAgentExtensionTools policy.
• Control MCP server sources: Restrict MCP servers to a curated registry (registryOnly) or disable MCP support completely (off) with the ChatMCP policy. Organizations can also host a private MCP registry with the McpGalleryServiceUrl policy.
• Disable global auto-approval: Prevent developers from enabling global auto-approval and hide the Bypass Approvals and Autopilot permission levels with the ChatToolsAutoApprove policy.
• Require manual approval for specific tools: Force manual approval for individual tools (for example, execute/runInTerminal or web/fetch) with the ChatToolsEligibleForAutoApproval policy.
• Disable terminal auto-approval: Turn off the rule-based terminal auto-approval system with the ChatToolsTerminalEnableAutoApprove policy.

Learn more about managing AI settings in enterprise environments and deploying enterprise policies.

Related resources

• VS Code enterprise support
• GitHub Copilot Trust Center