Close Open Privacy Scan
App Privacy Score
Low risk · 27 finding(s)
Dependency score: 100 (Low risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz External domains
aiplatform.googleapis.comaka.msapi.anthropic.comapi.eu.mistral.aiapi.groq.comapi.mistral.aiapi.npms.ioapi.openai.comapi.us.mistral.aiauth.openai.comautopush-generativelanguage.sandbox.googleapis.comavatars.githubusercontent.combatch.chinacloudapi.cnbatch.core.usgovcloudapi.netbatch.core.windows.netbatch.microsoftazure.debrowser.events.data.microsoft.comc.s-microsoft.comchromium.googlesource.comcode.visualstudio.comdefault.exp-tas.comdeveloper.mozilla.orgdevelopercertificate.orgdocs.anthropic.comdocs.expo.devdocs.mistral.aidocs.npmjs.comdummy.comeducation.github.comeslint.orggallery.azure.comgallery.chinacloudapi.cngallery.cloudapi.degallery.usgovcloudapi.netgemini-api-demos.uc.r.appspot.comgenerativelanguage.googleapis.comgithub.comgo.microsoft.comgraph.chinacloudapi.cngraph.cloudapi.degraph.windows.nethelp.openai.cominsiders.vscode.devjson-schema.orglearn.microsoft.comlogin.chinacloudapi.cnlogin.microsoftonline.comlogin.microsoftonline.delogin.microsoftonline.uslogin.windows-ppe.netmanage.microsoftazure.demanage.windowsazure.usmanagement.azure.commanagement.chinacloudapi.cnmanagement.core.chinacloudapi.cnmanagement.core.cloudapi.demanagement.core.usgovcloudapi.netmanagement.core.windows.netmanagement.microsoftazure.demanagement.usgovcloudapi.netmathiasbynens.github.iomicrosoft.commicrosoft.github.ionews.google.comnpm.imollama.comontheline.trincoll.eduplatform.claude.complatform.openai.compnpm.ioportal.azure.cnportal.azure.comportal.azure.usportal.microsoftazure.deposthog.comraw.githubusercontent.comreact.devreactjs.orgregistry.bower.ioregistry.npmjs.comregistry.npmjs.orgsemver.orgsentry.iostorage.googleapis.comupdate.code.visualstudio.comus.i.posthog.comvscode.devvscode.download.prss.microsoft.comwww.allrecipes.comwww.ecma-international.orgwww.foodnetwork.comwww.freedesktop.orgwww.gnu.orgwww.googleapis.comwww.ibm.comwww.w3.org
</> First-Party Code
first-party (rust): cli
rust first-partyexpand_more 27 low-confidence finding(s)
let mut file = fs::File::open(path).expect("failed to open file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match env::var("VSCODE_CLI_PRODUCT_JSON") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let contents = fs::read(file)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client
.get(GH_USER_ENDPOINT)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if std::env::var("VSCODE_CLI_DISABLE_KEYCHAIN_ENCRYPT").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let native_storage_result = if std::env::var("VSCODE_CLI_USE_FILE_KEYCHAIN").is_ok()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let token = fs::read_to_string(PathBuf::from(p))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let path = match std::env::var("PATH") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut binary_file = File::create(binary_file_path).expect("expected to make file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(&path).expect("expected to create file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = File::create(&path).expect("expected to create file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let contents = fs::read_to_string(&self.server_paths.logfile)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(&self.server_paths.logfile).map_err(|e| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env: std::env::vars().collect(),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = std::fs::File::open(log_file).map_err(|e| wrap(e, "error opening log file"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var("SSH_CLIENT").is_ok() || std::env::var("SSH_TTY").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = File::create(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = File::create(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var(DID_LAUNCH_AS_HIDDEN_PROCESS).is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let sys_root = match std::env::var("SystemRoot") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_32_on_64 = std::env::var("PROCESSOR_ARCHITEW6432").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var("WSL_DISTRO_NAME").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut append_file = File::create(&file_path).unwrap(); // truncates
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var_os("SNAP"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var_os("SNAP_REVISION"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("VSCODE_SERVER_CUSTOM_GLIBC_LINKER").is_ok() ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Some(path) => match fs::read(&path).await {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- @vscode/deviceid prod — dist-only: no readable source
- vscode-markdown-languageserver prod — dist-only: no readable source
- @vscode/l10n prod — dist-only: no readable source
- vscode-json-languageservice prod — scan budget exceeded
- vscode-languageserver prod — scan budget exceeded
- vscode-css-languageservice prod — scan budget exceeded
- vscode-html-languageservice prod — scan budget exceeded
- byteorder prod — scan budget exceeded
- crc prod — scan budget exceeded
- slog prod — scan budget exceeded
- slog-async prod — scan budget exceeded
- slog-term prod — scan budget exceeded
- futures prod — scan budget exceeded
- clap prod — scan budget exceeded
- open prod — scan budget exceeded
- reqwest prod — scan budget exceeded
- tokio prod — scan budget exceeded
- tokio-util prod — scan budget exceeded
- flate2 prod — scan budget exceeded
- zip prod — scan budget exceeded
- regex prod — scan budget exceeded
- lazy_static prod — scan budget exceeded
- sysinfo prod — scan budget exceeded
- serde prod — scan budget exceeded
- serde_json prod — scan budget exceeded
- rmp-serde prod — scan budget exceeded
- uuid prod — scan budget exceeded
- dirs prod — scan budget exceeded
- rand prod — scan budget exceeded
- opentelemetry prod — scan budget exceeded
- serde_bytes prod — scan budget exceeded
- chrono prod — scan budget exceeded
- gethostname prod — scan budget exceeded
- libc prod — scan budget exceeded
- tunnels prod — scan budget exceeded
- keyring prod — scan budget exceeded
- dialoguer prod — scan budget exceeded
- hyper prod — scan budget exceeded
- indicatif prod — scan budget exceeded
- tempfile prod — scan budget exceeded
- clap_lex prod — scan budget exceeded
- url prod — scan budget exceeded
- async-trait prod — scan budget exceeded
- log prod — scan budget exceeded
- const_format prod — scan budget exceeded
- sha2 prod — scan budget exceeded
- base64 prod — scan budget exceeded
- shell-escape prod — scan budget exceeded
- thiserror prod — scan budget exceeded
- cfg-if prod — scan budget exceeded
- pin-project prod — scan budget exceeded
- console prod — scan budget exceeded
- bytes prod — scan budget exceeded
- tar prod — scan budget exceeded