VS Code Audit Add-on by zuykn.io

Collects Visual Studio Code configuration, extensions, workspace settings, and remote development telemetry for security and operational monitoring.

Features

• Cross-platform: Windows (batch), macOS (POSIX shell) – zero external dependencies.
• Multi-variant detection: Discovers VS Code Stable, Insiders, VSCodium, Code-OSS, Cursor, and Windsurf installations.
• Installation inventory: Captures version, commit ID, architecture, install type (user/system), and client + server components.
• Complete extension inventory: Captures client and server extensions with install source, dependencies, trust mode, and pinned versions.
• Remote session tracking: SSH, WSL, attached containers, and dev-containers with connection metadata (host, user, auth method).
• User configuration: Collects settings.json and argv.json (startup arguments).
• Workspace configuration audit: Collects per-project .vscode/settings.json, tasks.json, launch.json, and devcontainer.json.

Security

• Does not collect API keys, secrets, or credentials.
• Local filesystem only; no network calls.
• Only metadata from SSH configuration is used (user and auth method).

Performance

• Chunked output for large lists (extensions and sessions) – 5 items per event.
• Depth‑limited workspace scanning (default depth 5).
• Single‑line JSON events for efficient ingestion.

Typical runtime: macOS usually completes in under 10 seconds; Windows typically in under 60 seconds. The Windows script is pure batch and is designed to stay within cmd.exe’s ~8 KB environment-variable limit using chunked output and no external tools, ensuring compatibility on stock Windows hosts.

Compatibility

VS Code Versions

• Supported: VS Code 1.70 and later (July 2022+)

Operating Systems

Dependencies

• None – Both scripts are self-contained with zero external dependencies
• No Python, PowerShell, jq, or other tools required
• Run as LocalSystem (Windows) or root (macOS) for multi-user collection

VS Code Variants

Both scripts detect installations for these variants and expose them via vscode:installation:

• Visual Studio Code – Insiders
• VSCodium
• Code – OSS
• Cursor
• Windsurf

For v1: Full data collection (settings, extensions, sessions, workspace files) is limited to VS Code Stable. Other variants are reported in installation inventory only.

Installation

1. Install the add‑on under $SPLUNK_HOME/etc/apps/ on:
2. Universal Forwarders – to run the collection scripts.
3. Heavy Forwarders / Indexers – for index-time sourcetype routing (props.conf + transforms.conf).
4. Search Heads – for search-time JSON field extraction (KV_MODE = json).
5. On each Universal Forwarder, configure inputs.conf:
6. Set the target index.
7. Set interval (recommended: 3600 seconds).
8. Adjust script stanzas as needed (see examples below).
9. Enable only one scripted input stanza per Universal Forwarder to avoid duplicate events.
10. Ensure each scripted input has disabled = 0 in inputs.conf.
11. Restart:
12. The Universal Forwarders where the add‑on is installed.
13. Any search heads using the add‑on.

Usage

Both scripts share a consistent CLI and output.

Usage: vscode_audit.[bat|sh] [options]

Options:
    -user <name>               Collect only for specific user (default: all users)
    -user-dir <path>           Override VS Code user directory path
    -extensions-dir <path>     Override extensions directory path
    -workspace-paths <paths>   Custom workspace search paths (comma-separated)
    -max-workspace-depth <num> Max workspace search depth (default: 5)

Disable collections:
    -no-settings               Skip settings.json
    -no-argv                   Skip argv.json
    -no-workspace-settings     Skip .vscode/settings.json
    -no-tasks                  Skip .vscode/tasks.json
    -no-launch                 Skip .vscode/launch.json
    -no-devcontainer           Skip .devcontainer/devcontainer.json
    -no-installation           Skip installation discovery
    -no-extensions             Skip extensions inventory
    -no-sessions               Skip session collection

Windows only:
    -grant-ssh-config-read     Grant SYSTEM read access to .ssh\config for SSH username detection

Note – SSH username detection (Windows): The scripts read %USERPROFILE%\.ssh\config to resolve SSH usernames and auth methods. When Splunk runs as LocalSystem, it cannot read user SSH configs—SSH usernames will appear as "unknown". To enable SSH username detection, use the -grant-ssh-config-read flag or manually grant access:
cmd icacls "C:\Users\<username>\.ssh\config" /grant "SYSTEM:R"
⚠️ Why this isn't default: Windows protects .ssh directories with user-only ACLs by design—SSH clients require restricted permissions and will refuse to use keys if permissions are too open. The command above grants SYSTEM read access to only the config file (not private keys). Evaluate whether exposing SSH config metadata (hostnames, usernames, key paths) to LocalSystem processes aligns with your security policies before enabling.

Example inputs.conf stanzas

Windows:

# Basic collection (all users)
[script://.\bin\\vscode_audit.bat]
index = main
interval = 3600
disabled = 0

# Single user, skip devcontainer
[script://.\bin\vscode_audit.bat -user developer -no-devcontainer]
index = main
interval = 3600
disabled = 0

# Extensions-only audit for one user
[script://.\bin\vscode_audit.bat -user developer -no-settings -no-argv -no-workspace-settings -no-tasks -no-launch -no-devcontainer -no-installation -no-sessions]
index = main
interval = 3600
disabled = 0

macOS:

# Basic collection (all users)
[script://./bin/vscode_audit.sh]
index = main
interval = 3600
disabled = 0

# Single user, skip extensions
[script://./bin/vscode_audit.sh -user dev -no-extensions]
index = main
interval = 3600
disabled = 0

# Single user with custom workspaces, shallow scan
[script://./bin/vscode_audit.sh -user dev -workspace-paths "/Users/dev/src,/Users/dev/projects" -max-workspace-depth 3]
index = main
interval = 3600
disabled = 0

Sourcetypes

The add‑on supports 9 sourcetypes:

vscode:installation

Discovered VS Code installations (client and remote server components) per user. Use target to distinguish local client installs from remote server installs.

vscode:settings

User-level settings.json containing editor preferences, enabled features, and security-relevant settings like workspace trust configuration.

vscode:argv

User-level argv.json containing VS Code startup arguments (locale, crash reporter settings, sandbox configuration).

vscode:workspace_settings

Project-level .vscode/settings.json containing workspace-specific editor and language settings that may override user defaults.

vscode:tasks

Project-level .vscode/tasks.json defining build, test, and automation tasks.

vscode:launch

Project-level .vscode/launch.json defining debug configurations, including program paths, environment variables, and remote attach settings.

vscode:devcontainer

Project-level .devcontainer/devcontainer.json defining development container configuration (base image, features, extensions, port forwarding, and post-create commands).

vscode:extensions

Installed extensions inventory for client and server environments (chunked, 5 items/event). Includes install source, trust mode, executable detection, and activation events.

Extension object fields (within items array):

vscode:sessions

Active and recent sessions inventory (chunked, 5 items/event). Tracks local, SSH, WSL, and container connections with authentication method and workspace context.

Session object fields (within items array):

Note – Remote username resolution: For recent SSH sessions, user is resolved from the User directive in SSH config; historical sessions report unknown to avoid assumptions. Container sessions always report unknown as Docker doesn't expose this context.

Support

Need help, want a custom version, or have a feature request? Contact us—​we're happy to help!
- Website: https://zuykn.io
- Docs: https://docs.zuykn.io
- Email: support@zuykn.io

License

This add-on is licensed under the zuykn Private Commercial Use License Version 1.0.
See the LICENSE file in the project root for full terms.

© 2023–2025 zuykn. All Rights Reserved.