Skip to main content

Policies

ShieldX supports a workspace-scoped policy file so teams can codify which extensions are acceptable.

File location

The policy lives at the root of the first workspace folder:

.shieldx.json

Commit it to version control to share with teammates. ShieldX reads it on every scan.

Schema

{
  "allowedExtensions": ["ms-python.python", "dbaeumer.vscode-eslint"],
  "blockedExtensions": ["some.publisher-risky-extension"],
  "maxRiskLevel": "moderate"
}

All three keys are optional.

allowedExtensions

If present and non-empty, only extensions whose ID appears in the list are considered compliant. Every other installed extension is flagged as a policy violation, regardless of its risk score.

blockedExtensions

Any installed extension whose ID appears here is flagged as a violation, even if the allowlist would otherwise admit it.

maxRiskLevel

Maximum risk level the workspace tolerates. Extensions scored above this level are flagged. Valid values: "low", "moderate", "high", "critical".

Commands

  • ShieldX: Add to allowlist — picks the current extension and appends it to allowedExtensions
  • ShieldX: Add to blocklist — appends to blockedExtensions
  • ShieldX: Show current policy — opens current policy as read-only JSON in editor when workspace policy file exists

Violation flow

After a scan, policy violations appear:

  • On the dashboard as a dedicated Policy strip
  • As a warning notification, respecting shieldx.minimumWarningLevel for risk-derived violations

A violation does not uninstall or disable the extension — ShieldX does not have that capability. It surfaces the conflict so a human can act.

Team workflow

  • Start permissive: only maxRiskLevel: "high"
  • Move to a curated allowedExtensions list once the team's working set stabilises
  • Use blockedExtensions for known-bad publishers regardless of the allowlist

Current limitations

  • Only the first workspace folder is used to read/write the policy file
  • The policy file is local to the workspace; there is no central server
  • The allowlist enforces presence by extension ID only — versions are not pinned