Policies
ShieldX supports a workspace-scoped policy file so teams can codify which extensions are acceptable.
File location
The policy lives at the root of the first workspace folder:
.shieldx.json
Commit it to version control to share with teammates. ShieldX reads it on every scan.
Schema
{
"allowedExtensions": ["ms-python.python", "dbaeumer.vscode-eslint"],
"blockedExtensions": ["some.publisher-risky-extension"],
"maxRiskLevel": "moderate"
}
All three keys are optional.
allowedExtensions
If present and non-empty, only extensions whose ID appears in the list are considered compliant. Every other installed extension is flagged as a policy violation, regardless of its risk score.
blockedExtensions
Any installed extension whose ID appears here is flagged as a violation, even if the allowlist would otherwise admit it.
maxRiskLevel
Maximum risk level the workspace tolerates. Extensions scored above this level are flagged. Valid values: "low", "moderate", "high", "critical".
Commands
- ShieldX: Add to allowlist — picks the current extension and appends it to
allowedExtensions - ShieldX: Add to blocklist — appends to
blockedExtensions - ShieldX: Show current policy — opens current policy as read-only JSON in editor when workspace policy file exists
Violation flow
After a scan, policy violations appear:
- On the dashboard as a dedicated Policy strip
- As a warning notification, respecting
shieldx.minimumWarningLevelfor risk-derived violations
A violation does not uninstall or disable the extension — ShieldX does not have that capability. It surfaces the conflict so a human can act.
Team workflow
- Start permissive: only
maxRiskLevel: "high" - Move to a curated
allowedExtensionslist once the team's working set stabilises - Use
blockedExtensionsfor known-bad publishers regardless of the allowlist
Current limitations
- Only the first workspace folder is used to read/write the policy file
- The policy file is local to the workspace; there is no central server
- The allowlist enforces presence by extension ID only — versions are not pinned