- they're not sandboxed (yet) - just like double-clicking an .exe file - they don't have a permission model - they auto update - they have built-in persistence - they are installed on developer machines with high-value credentials
The recent CircleCI and LastPass incidents were both suspected to originate from a compromised developer machine - which is becoming every organization's Achilles heel in terms of cyber posture
So I've been working on a way to help mitigate some of these risks
Right now, only an MVP of a "CLI" is available:
$ code --list-extensions --show-versions | curl --data-binary @- https://coderguard.io/scan
Which will list your installed extensions with some enriched information to vet their trustfulness
But much more detailed threat intel will be shown in the upcoming website and extension, including - Behavioural data gathered from running the extension on an instrumented sandbox environment - The ability to define policies to allow or block extension installs/updates, based on your specific risk appetite
For updates, sign up at https://coderguard.io or follow https://twitter.com/coderguard
The reason I'm posting this now is because I'd like to get some feedback in order to course-correct to make sure what I build actually solves people's problems
I'd be happy to read any comments, or answer any questions
