microsoft
CANNOT Disable Credential Forwarding Git GnuPG SSH
- VSCode Version: 1.99.3 17baf841131aa23349f217ca7c570c76ee87b957 x64
- Local OS Version: WSL 2 (Debian Bookworm) Windows 11 x64
- Remote OS Version: Debian Bookworm amd64
- Remote Extension/Connection Type: Dev Containers
There is no way to disable credential forwarding to devcontainer. Not for Git, not for GnuPG, not for SSH.
The fact that this is enabled by default and there's no way to opt-out at all, it's almost a malware behavior.
These are credentials that we are dealing with, SECRETS! It's not something that should be willy nilly be touched by VSCode or any extensions for that matter.
Steps to Reproduce:
-
Configure Git, GnuPG, and SSH in WSL 2
-
Create a project in WSL 2 with the following devcontainer:
.devcontainer/devcontainer.json
{
"build": {
"dockerfile": "Dockerfile"
}
}
.devcontainer/Dockerfile
FROM debian:bookworm
RUN apt-get update && apt-get -y install git gnupg openssh-client
RUN useradd 'dev' -ms '/bin/bash'
USER "dev"
RUN touch ~/.config ~/.gnupg ~/.ssh
- Open the project in devcontainer. It will clearly fail because none of
~/.config,~/.gnupg, and~/.sshare folders.
Does this issue occur when you try this locally?: Yes Does this issue occur when you try this locally and all extensions are disabled?: Yes
Given how often supply chain attacks happen with NPM these days, tuning devcontainers for security might be actually useful for security-conscious developers.
Granted devcontainers can't be 100% safe. But hardened/rootless Docker + user in devcontainer isn't root + no silly holes like opt-out implicit forwarding of SSH/Git/etc would go a long way in giving many developers a safer development environment.
