What does Pipelock's VS Code integration do?

Pipelock rewrites your .vscode/mcp.json to route all MCP servers through its scanning proxy. Tool arguments are scanned for credential leaks (46 DLP patterns), tool responses are scanned for prompt injection, and tool descriptions are checked for poisoned instructions. All traffic is scanned bidirectionally before it reaches or leaves the MCP server.

How is VS Code integration different from Claude Code or Cursor?

Claude Code and Cursor have hooks systems that intercept actions before they execute. VS Code does not have hooks, so Pipelock wraps MCP servers through its MCP proxy instead. The result is the same: all MCP traffic is scanned bidirectionally. VS Code integration covers MCP tool calls; use HTTPS_PROXY for HTTP traffic scanning.

Securing VS Code MCP Servers with Pipelock

Q: How do I install Pipelock for VS Code?

Run 'pipelock vscode install' after installing the pipelock binary via Homebrew (brew install luckyPipewrench/tap/pipelock) or Go (go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest). The command rewrites .vscode/mcp.json to wrap each MCP server through pipelock's proxy. Restart VS Code to activate.

VS Code now supports MCP servers that give AI agents access to tools, databases, and external services. When an MCP server is compromised or an agent gets tricked by prompt injection, those tool calls can exfiltrate credentials, execute dangerous commands, or poison future interactions.

Pipelock wraps your VS Code MCP servers through a scanning proxy. Every tool call and response passes through the scanning pipeline before it reaches the MCP server or returns to the agent.

Install

Install the binary:

# Homebrew (macOS / Linux)
brew install luckyPipewrench/tap/pipelock

# Go
go install github.com/luckyPipewrench/pipelock/cmd/pipelock@latest

Wrap your MCP servers:

pipelock vscode install

Restart VS Code. That’s it.

The command rewrites .vscode/mcp.json in your project directory. Each MCP server’s command gets wrapped through pipelock mcp proxy. A .bak backup is created before any changes. Already-wrapped servers are skipped (idempotent).

How it works

Unlike Claude Code and Cursor, VS Code doesn’t have a hooks system. Instead, Pipelock rewrites MCP server configs so traffic routes through its proxy.

Before:

{
  "servers": {
    "my-server": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
    }
  }
}

After:

{
  "servers": {
    "my-server": {
      "command": "pipelock",
      "args": ["mcp", "proxy", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
    }
  }
}

HTTP/SSE servers are automatically converted to stdio wrapping with --upstream. Non-server fields like inputs and sandbox are preserved.

What it scans

Tool arguments (outbound). Scans tool call arguments for credential leaks (46 DLP patterns), prompt injection patterns, and dangerous operations. Catches secrets in any JSON field, including nested objects and arrays.

Tool responses (inbound). Scans tool results for prompt injection before they reach the agent. A 6-pass normalization pipeline catches zero-width character evasion, homoglyph substitution, leetspeak encoding, and base64-wrapped payloads.

Tool descriptions. Checks tools/list responses for poisoned instructions hidden in tool descriptions. Detects mid-session description changes (rug-pull attacks).

Options

Project vs global scope:

# Project-level (default): wraps .vscode/mcp.json in current directory
pipelock vscode install

# Global: wraps VS Code user-level mcp.json
pipelock vscode install --global

Custom config:

pipelock vscode install --config ~/.config/pipelock/pipelock.yaml

Dry run (preview without modifying):

pipelock vscode install --dry-run

Remove

To restore your original MCP server configs:

pipelock vscode remove

This unwraps all servers and restores the original commands from stored metadata. Use --global to remove global-level wrapping.

Scan your repo first

Before starting work in a new repository, scan it for dangerous IDE config files:

pipelock preflight .

This detects poisoned .vscode/mcp.json, .cursor/hooks.json, .mcp.json, and .claude/settings.json files that could register malicious MCP servers or override your security settings.

GitHub All Pipelock Features