Blog
Announcements

Security Incident Review: Leak of Development Key in VSCode Plugin

March 28, 2025

At 9:19 am EST, March 27th, 2025, we received a notification from Rami McCarthy - a security researcher at Wiz, that sensitive information was found in our newly published VSCode extension. We acted quickly to identify the sensitive information, which was an API key associated with our development environment. Even though no customer information was at risk, we decided to rotate the client secrets for all environments just in case. This is also a great incident response practice that allowed us to ensure we can maintain uptime based on our SLAs. We also figured out why the information was included in the first place, fixed that, and published an updated version of the IDE Extension.

While this issue in no way affected our customers, we take security very seriously, treating it like it could have. We worked together as a team and completed all work within 47 minutes of being made aware of the issue.

How did it happen?

Our build pipeline - for various reasons - constructs a .env that contains many configurations, one of which is sensitive. This file is included in the .gitignore, so it is never accidentally checked in by a developer. However, the vscode bundler uses a different file called .vscodeignore. The .env was forgotten from this file, and as this was our first rollout of a VSCode plugin we learned the hard way of this practice.

How are you going to prevent it in the future?

First, we are implementing a more robust code owner review process based on the functional area. If only the application code is changed, then it only needs to be reviewed by a Developer familiar with that type of code. However, a change in a CI pipeline requires a DevOps engineer’s review.

Second, we are reviewing our use of sensitive information handling. Where possible, we are eliminating it by using alternatives like workload identity mapping. But where that isn’t possible, we ensure the sensitive information is rotated frequently to minimize the risk if leaks.

Responsible Disclosure

Last but not least, we highly appreciate Rami's speed and level of coordination in disclosing this issue to us. As a cybersecurity company, we recognize that security is a continuous effort that includes handling and disclosing issues promptly. We are setting ourselves to the highest bar—including the transparent disclosure of post-mortem incidents such as this—so that the entire cybersecurity community can benefit from it. 

Subscribe to Cloud Control, our weekly newsletter interviewing security and cloud leaders.

Related Posts

March 27, 2025

Proactive Defense Starts with the Platform: Why Security Can’t Just Be a Checklist"

Discover why security must be foundational—not an afterthought. Learn how platform engineering shifts cybersecurity from reactive checklists to proactive, developer-first defense
Read full Post
March 27, 2025

Gomboc AI Launches VSCode Plugin to Eliminate Cloud Security Bottlenecks in IaC Deployments

New IDE Integration Empowers Developers to Build Secure Cloud Infrastructure Directly Within Their Workflow
Read full Post
March 18, 2025

Google’s Wiz Acquisition: A Strategic Play That Demands Multi-Cloud Vigilance

Discover how Google’s Wiz acquisition reshapes cloud security. Why multi-cloud vigilance—not vendor loyalty—is critical to avoiding lock-in and compliance risks
Read full Post
View all