Show HN: Coder Guard – Protect Your IDE from Malicious Extensions

10 points by itsamy 3 years ago · 5 comments · 2 min read

There is a growing problem with VSCode extensions:

- they're not sandboxed (yet) - just like double-clicking an .exe file - they don't have a permission model - they auto update - they have built-in persistence - they are installed on developer machines with high-value credentials

The recent CircleCI and LastPass incidents were both suspected to originate from a compromised developer machine - which is becoming every organization's Achilles heel in terms of cyber posture

So I've been working on a way to help mitigate some of these risks

Right now, only an MVP of a "CLI" is available:

$ code --list-extensions --show-versions | curl --data-binary @- https://coderguard.io/scan

Which will list your installed extensions with some enriched information to vet their trustfulness

But much more detailed threat intel will be shown in the upcoming website and extension, including - Behavioural data gathered from running the extension on an instrumented sandbox environment - The ability to define policies to allow or block extension installs/updates, based on your specific risk appetite

For updates, sign up at https://coderguard.io or follow https://twitter.com/coderguard

The reason I'm posting this now is because I'd like to get some feedback in order to course-correct to make sure what I build actually solves people's problems

I'd be happy to read any comments, or answer any questions