79523950

Date: 2025-03-20 19:52:14
Score: 1
Natty:
Report link

TL;DR

Remember that Sops is used for highly sensitive data. If you want to use VS Code you should at least disable 3rd party plugins and CO-pilot. TL;DR:

SOPS_EDITOR="code --wait --new-window --disable-workspace-trust --disable-extensions --disable-telemetry" sops secrets/testing.yaml

Longer version

Noticing VS Code sending my secrets to remote servers with co-pilot

I noticed myself when I was testing Sops file in VS Code with:

EDITOR="code --wait" sops secrets/testing.yaml

I had Github co-pilot turned on and noticed that it sends my unencrypted secrets in plaintext to remote server to get auto completes.

When I typed:

password: "correct

Github co-pilot suggested:

password: "correct horse battery staple"

Blocking VS Code with flags

Only adding --disable-extensions would probably be enough but at least for me this did not work if I didn't add --new-window as well.

Then noticed that VS Code actually has plenty of flags which are not documented available in their source code.

So --disable-workspace-trust and --disable-telemetry seemed useful too.

SOPS_EDITOR="code --wait --new-window --disable-workspace-trust --disable-extensions --disable-telemetry" sops secrets/testing.yaml

It's a good idea to add the SOPS_EDITOR as env in your shell configs so that you don't need to type it everytime.

This is great because all of us probably have some 3rd party VS Code extension installed which is suspicious and all of the extensions are disabled for the unencrypted sops file.

Blocking co-pilot from the sops temporary files

I noticed that it's also possible to disable co pilot by modifying your user profile settings in VS Code:

{
    // We will use these custom file associations to disable co-pilot
    // See more in: https://stackoverflow.com/a/77908836/1337062
    "files.associations": {
        // If repo would contain secrets in .env file it's better to ignore it
        ".env*": "plaintext",
        // SOPS creates unencrypted temporary files here on MacOS
        "/var/folders/*/**": "plaintext",
    },
    // This setting can't be altered here and
    // needs to be copied directly into user settings
    "github.copilot.enable": {
        "*": true,
        "plaintext": false,
    },
}

Summary

I highly recommend adding the more strict SOPS_EDITOR env and the extra file associations which disable co-pilot for the plaintext temp files.

If you want to see how I added this into my git repo using elixir and nix with sops you can have a look at the linked commit.

Stay safe!

Reasons:
  • Blacklisted phrase (1): did not work
  • Blacklisted phrase (1): stackoverflow
  • Long answer (-1):
  • Has code block (-0.5):
  • Low reputation (0.5):
Posted by: Onni Hakala