The Dev Container Spec#219 and CLI#493 have already finalized and implemented First Class Secrets Support.
However, the VS Code Dev Containers extension currently lacks this implementation.
This creates a security parity gap: users are still forced to pass sensitive credentials via remoteEnv, leading to potential secret leakage—the exact vulnerability this spec was designed to resolve.
The extension should be compliant with the official specification, supporting secure, dynamic secret injection (e.g., via Windows Credential Manager, macOS Keychain) without requiring a container rebuild.
Since the CLI already supports this, when will the VS Code extension bridge this gap to ensure secure secret handling?
The Dev Container Spec#219 and CLI#493 have already finalized and implemented First Class Secrets Support.
However, the VS Code Dev Containers extension currently lacks this implementation.
This creates a security parity gap: users are still forced to pass sensitive credentials via
remoteEnv, leading to potential secret leakage—the exact vulnerability this spec was designed to resolve.The extension should be compliant with the official specification, supporting secure, dynamic secret injection (e.g., via Windows Credential Manager, macOS Keychain) without requiring a container rebuild.
Since the CLI already supports this, when will the VS Code extension bridge this gap to ensure secure secret handling?