VSGuard

Proactive security auditing for VS Code. Monitors file system access, processes and module loading to detect malicious behavior from extensions.

Features

• File System Access Monitoring: Tracks various file system operations, including:
  • File reading and writing (readFile, writeFile, etc.)
  • File deletion and renaming (unlink, rename, etc.)
  • File metadata access (stat, exists, access, etc.)
  • Directory listing (readdir)
  • File copying (copyFile)
  • Async operations via fs/promises
• Module Loading Detection: Identifies and monitors module imports to detect potentially malicious activity.
• Process Monitoring: Monitors process-related events to track extension behavior.
• Real-time Monitoring: Provides live feedback on security-relevant events.
• Configurable Hooks: Allows customization of monitoring behavior through exclusions and sensitive patterns.

Requirements

None. VSGuard works out of the box with no additional dependencies.

Extension Settings

VSGuard contributes the following settings and commands:

Settings

• vsguard.block (boolean): Enable or disable blocking of sensitive file access from extensions.

  • true: Actively block access to sensitive paths when a match is detected.
  • false: Only log and warn without blocking.

• vsguard.exclusions (array of objects): File-access exclusions.

  • Objects contain:
    • extensionId (string): The ID of the extension to exclude.
    • filePath (string/regex): The file path pattern to exclude.
  • You can manage these via the VSGuard: Show Exclusions command.

• vsguard.processExclusions (array of objects): Process-access exclusions.

  • Objects contain:
    • extensionId (string): The ID of the extension to exclude.
    • command (string/regex): The command pattern to exclude.

• vsguard.sensitivePatterns (array of objects): Custom regular-expression patterns for sensitive files.

  • Objects contain:
    • pattern (string/regex): The regex pattern to match.
    • description (string): A description of why this pattern is sensitive.
  • Example: [{"pattern": "\\.myapp\\/secrets", "description": "App secrets"}]

• vsguard.processDetections (array of objects): Patterns to detect anomalous process behaviors.

  • Objects contain:
    • command (string/regex or null): The command pattern to monitor.
    • args (array of string/regex): An array of argument patterns.
    • extensionId (string or null): The extension ID to associate with this detection.
    • description (string): A description of the detection.

Commands

• vsguard.showMonitoringLog: Display the monitoring log in the output panel.
• vsguard.clearMonitoringLog: Clear the monitoring log.
• vsguard.showExclusions: Open the exclusions settings page.
• vsguard.syncSettings: Synchronize VSGuard settings.
• vsguard.enableBlockMode: Enable blocking for sensitive file access.
• vsguard.disableBlockMode: Disable blocking for sensitive file access.
• vsguard.openHookFile: Open the hook configuration file.
• vsguard.fireFsAccess: Fire a fsRead against .bashrc (for testing).
• vsguard.fireSshAccess: Fire a fsRead against .ssh/config (for testing).
• vsguard.installHook: Install the VSGuard hook.
• vsguard.uninstallHook: Uninstall the VSGuard hook.
• vsguard.spawnPowerShellBase64: Start PowerShell Base64 (for testing).

How to configure it

1. Open VS Code settings and search for VSGuard.
2. Set vsguard.block to true if you want sensitive-file access to be blocked.
3. Add custom patterns to vsguard.sensitivePatterns for any extra sensitive files you want to monitor.
4. Use VSGuard: Show Exclusions to review or update the vsguard.exclusions list when an extension should be allowed to access a path.

Syslog Integration

VSGuard supports optional syslog integration for centralized logging and security monitoring. When enabled, VSGuard will forward security events to a syslog server in RFC5424 format.

Syslog Settings

• vsguard.syslog.enabled (boolean): Enable or disable syslog forwarding.

  • true: Forward all VSGuard log messages to the configured syslog server.
  • false: Disable syslog forwarding (default).

• vsguard.syslog.host (string): The hostname or IP address of the syslog server.

  • Default: 'localhost'

• vsguard.syslog.port (number): The port to connect to on the syslog server.

  • Default: 514 (standard syslog port)

• vsguard.syslog.protocol ('tcp' | 'tls'): The protocol to use for the connection.

  • 'tcp': Use plain TCP connection (default).
  • 'tls': Use TLS/SSL encrypted connection.

Syslog Message Format

When enabled, VSGuard logs are sent in RFC5424 format with the following structure:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [STRUCTURED-DATA] MSG

Example message:

<31>1 2026-06-17T10:30:45.123Z vscode.vsguard VSGuard - - - {"type":"fsRead","message":"Attempted to read sensitive file","data":{"filePath":"/home/user/.bashrc","extensionId":"vscode.codelldb"}}

Syslog Use Cases

• Centralized Security Monitoring: Forward all security events to a SIEM (Security Information and Event Management) system.
• Compliance Requirements: Meet regulatory requirements for centralized log management.
• Extended Retention: Store logs on a dedicated server with longer retention periods.
• Multi-server Environments: Aggregate logs from multiple development machines.

Configuration Example

{
  "vsguard.syslog.enabled": true,
  "vsguard.syslog.host": "logs.company.com",
  "vsguard.syslog.port": 514,
  "vsguard.syslog.protocol": "tcp"
}

Known Issues

SUPPORT

Release Notes

0.0.3

• Linux compatibility correction

0.0.2

• Initial release with basic monitoring capabilities