Most secret leaks in developer teams do not come from dramatic breaches. They
come from ordinary habits: pasting tokens into launch.json, leaving .env
files searchable in the editor, syncing the wrong settings, or trusting a
workspace before looking at what is inside it.
1. Treat workspace trust like a real boundary
The easiest mistake is opening an unfamiliar repo and immediately giving it the same privileges as your internal projects. Workspace Trust exists for a reason: it stops tasks, debug adapters, and extensions from executing without context.
Start by making secret-bearing files visually disappear from normal browsing and search:
Code snippet
json
{
"security.workspace.trust.enabled": true,
"security.workspace.trust.untrustedFiles": "prompt",
"files.exclude": {
"**/.env": true,
"**/.env.*": true
},
"search.exclude": {
"**/.env": true,
"**/.env.*": true
}
}
This does not replace real secret management, but it does remove the accidental “I clicked the wrong file and copied the wrong thing” class of problems.
2. Keep secrets in env files, not debug configs
The worst pattern is hard-coding credentials directly into launch.json. That
file is easy to commit, easy to sync, and easy to share. Put secrets in a local
env file instead, then keep only non-sensitive overrides in the debug
configuration:
Code snippet
json
{
"version": "0.2.0",
"configurations": [
{
"name": "API: secure debug",
"type": "node",
"request": "launch",
"program": "${workspaceFolder}/src/server.ts",
"runtimeExecutable": "node",
"envFile": "${workspaceFolder}/.env.local",
"env": {
"LOG_LEVEL": "debug"
}
}
]
}
This keeps the workflow intact while making it much harder for a live token to end up in version control.
3. Sanitize tasks before they become team defaults
Task definitions are another common leak path. A task that runs locally can quietly become a team template later, and anything embedded inside it may travel with the repo.
Code snippet
json
{
"version": "2.0.0",
"tasks": [
{
"label": "run migrations",
"type": "shell",
"command": "pnpm prisma migrate deploy",
"options": {
"env": {
"NODE_ENV": "development"
}
},
"problemMatcher": []
}
]
}
If you ever see DATABASE_URL=... or live API keys embedded in a task, treat it
as a production bug, not a personal preference.
4. Add a pre-commit check for obvious mistakes
You do not need a huge secrets platform to catch the most common errors. A small pre-commit check can stop obvious credential patterns before they leave a laptop:
Code snippet
bash
#!/usr/bin/env bash
set -euo pipefail
if git diff --cached --name-only | xargs rg -n --pcre2 "(API_KEY|SECRET|TOKEN|DATABASE_URL)="; then
echo "Potential secret detected in staged files."
exit 1
fi
This kind of check is not perfect, but it is extremely effective at killing the most embarrassing category of leaks.
Final checklist
If you want a practical baseline, start here:
- enable Workspace Trust and do not bypass prompts casually
- hide
.envfiles from normal browsing and search - use
envFileinstead of inline secrets in debug configs - keep task definitions clean enough to publish safely
- add one lightweight secret scan before commit
That checklist will not make VS Code perfect, but it will eliminate the lazy, high-frequency mistakes that cause the majority of developer secret spills.
