VS Code: Do you trust the authors of the files in this folder?

Background

Visual Studio Code 1.57 introduces the concept of trusted workspaces. Trusted workspaces try to make it clear that while simply browsing through code is safe, enabling all editor features in a folder/project that came from a malicious source could potentially put you in danger.

The prompt is shown when you open a new folder for the first time. Here Visual Studio Code is asking if it should be trusted or not:

  • If you select No, I don't trust the authors, Visual Studio Code will open the workspace in 'restricted mode'. This is the default for all new workspaces. It lets you safely browse through code but disables some editor feature, including debugging, tasks, and many extensions. However, keep in mind that 'restricted mode' is all you need for many use cases.

  • If you select Yes, I trust the authors, Visual Studio Code will trust the current workspace and enable all of the editor feature you are used to in it.

You can easily change your choice later on too.

So should I trust this workspace or not?

Ultimately you will need to decide for yourself if you are comfortable trusting a workspace or not. Here are a few general guidelines:

Stick with restricted mode if:

  • You just need to quickly read some code.

  • You got the workspace from an unfamiliar/untrusted source (such as that random zip someone posted on a sketchy forum)

Consider trusting the workspace if:

  • You trust the source of the workspace and know how code ends up in your workspace

  • And you also need all the features of Visual Studio Code, such as debugging

What if I change my mind?

Say you start in restricted mode, but later realize that you now need to use the debugger (and you are confident in where the contents of the workspace came from). To switch to trusted mode, you can:

  • Click on the restricted mode entry in the status bar

    'Restricted mode' status bar entry

  • Run the Workspaces: Manage Workspace Trust command in the command palette

This will open a new editor that lets you manage trust of the current workspace:

Trusted workspace manager

Select Trust to switch into a trusted workspace

Can I disable trusted workspaces?

Yes, but keep in mind that doing so comes with security tradeoffs. Here are a few options:

Using a single trusted folder to hold your projects

If you work with many projects that you trust and don't want to be prompted about trusting each one individually, you can consider trusting their parent folder.

  1. Run the Workspaces: Manage Workspace Trust command
  2. Scroll down to the Trusted folders and workspaces section and click Add Folder
  3. Select the parent folder of all your trusted workspaces

Now any project you open under the parent folder will be trusted automatically.

Disabling the trusted workspaces entirely

If you really want to disable trusted workspaces entirely, you can use the Security › Workspace › Trust: Enabled setting.

"security.workspace.trust.enabled": false