Auto-Approve Copilot Commands in VS Code

VS Code Copilot requires manual approval for tool invocations and terminal commands by default. You can disable this with a single setting.

Enable Global Auto-Approve

Add this to your settings.json:

{
  "chat.tools.global.autoApprove": true
}

Access settings via Cmd+Shift+P (macOS) or Ctrl+Shift+P (Windows/Linux), then type “Preferences: Open User Settings (JSON)”.

Alternatively, search for “global auto approve” in Settings UI (Cmd+, or Ctrl+,) and enable the checkbox.

Security Risk: Containerized Environments

This setting is extremely dangerous in containerized VS Code environments (Docker containers, remote SSH, dev containers, GitHub Codespaces).

Why This Matters

Containerized environments often have:

• Access to host system secrets and credentials
• Mounted volumes with sensitive data
• Environment variables containing API keys
• SSH keys and authentication tokens
• Database connection strings
• Cloud provider credentials

Auto-approving all commands allows Copilot to execute potentially destructive operations without confirmation:

# These commands execute without approval
rm -rf /workspace/*
cat ~/.ssh/id_rsa
echo $AWS_SECRET_ACCESS_KEY > public/keys.txt
docker run --rm -v /:/host alpine cat /host/etc/shadow

Exposed Credentials Example

# Copilot might run discovery commands that leak secrets
env | grep -i secret
cat ~/.aws/credentials
docker inspect container_name
git config --list --show-origin

In containerized environments, these commands can exfiltrate credentials, delete critical files, or compromise the host system.

Safer Alternative: Selective Auto-Approve

Use regex patterns to allow specific safe commands:

{
  "chat.tools.terminal.autoApprove": {
    "/^git\\s+(status|diff|log|show)\\b/": true,
    "/^ls\\b/": true,
    "/^cat\\s+(?![/~\\.])/": true,
    "rm": false,
    "rmdir": false,
    "kill": false,
    "sudo": false,
    "curl": false,
    "wget": false
  }
}

This approach:

• Allows read-only Git commands
• Permits directory listing
• Blocks destructive operations
• Prevents credential exfiltration attempts

When to Use Global Auto-Approve

Only enable in trusted, isolated environments:

• Personal laptop with no sensitive data
• Sandbox VMs with no host access
• Throwaway development containers
• Offline environments

Never enable in:

• Production or staging containers
• Shared development servers
• CI/CD environments
• Any system with mounted secrets or credentials
• Remote SSH sessions to company infrastructure

Impact Assessment

Before enabling, audit your environment:

# Check mounted volumes (if containers exist)
containers=$(docker ps -aq 2>/dev/null) && [ -n "$containers" ] && docker inspect "$containers" | grep -A 10 Mounts || echo "No containers found"

# List environment variables with secrets
env | grep -iE "(key|token|secret|password|credential)"

# Check SSH key accessibility
ls -la ~/.ssh/

# Review Git credentials
git config --list | grep credential

If any command returns sensitive data, do not enable global auto-approve.

Recommendation

Use manual approval as the default security posture. The 2-second delay to approve commands is negligible compared to the risk of credential exposure or data loss in containerized environments.