Keeper Security VS Code Extension
June 9, 2026 · View on GitHub

Keeper Security VS Code Extension
Table of Contents
Overview
A comprehensive VS Code extension that integrates Keeper Security vault functionality directly into the development workflow. The extension provides secure secret management capabilities including saving, retrieving, generating, and running commands with secrets from Keeper Security vault.
This enable developers to manage secrets securely without leaving their development environment, while maintaining the highest security standards and providing seamless integration with existing Keeper Security infrastructure.
Features
- Secret Management: Save, retrieve, and generate secrets directly from VS Code using Keeper Security vault
- Dual Mode Support: Choose between
- CLI mode (Keeper Commander CLI) - Default
- KSM mode (Keeper Secrets Manager)
- Secret Detection: Automatically detect potential secrets from configuration files using pattern recognition (API keys, passwords, tokens, JWT, AWS keys, Stripe keys, and more)
- Secure Execution: Run commands with secrets injected from Keeper vault
- Comprehensive Logging: Built-in logging system with debug mode support
Prerequisites
- VS Code: v1.99.0 or later
- Keeper Security Account: Active subscription with vault access (Consumer, B2B, MSP)
For CLI Mode:
- Keeper Commander CLI:
- The Keeper Commander CLI v18.0.5 or later must be installed globally on your system using the official binary.
- Authenticated using Persistent login or Biometric login
For KSM Mode:
- Requires Secrets Manager Access
Setup
For CLI Mode
Install Keeper Commander CLI Binary
-
Follow the Keeper Commander Installation Guide to download and install the binary for your operating system.
-
Ensure the CLI is accessible from your system shell PATH
-
Open your terminal and run the following command to verify the installation:
keeper --version- You should see output similar to:
Keeper Commander, version 17.1.8 - This confirms that the Commander CLI is installed and accessible globally.
After successfully installing the Keeper Commander CLI, please reopen VS Code if it was open during the installation.
Authenticate with Keeper Commander CLI
- Open your terminal or command prompt.
- Run the following command:
keeper shell - If you're not already logged in, you'll be prompted to enter your Keeper credentials. Follow the prompts to complete the login process.
- Upon successful login, you'll see the command prompt change to:
My Vault> - While still inside the
My Vault>prompt, you must complete one of the following steps to complete setup:-
- Run:
this-device persistent-login on - Then run:
this-device registerNote: To set the inactivity logout timer to a certain number of minutes: Run
this-device timeout 600. This successfully set "logout_timer" to 10 hours.
- Run:
-
- Run:
biometric register - A biometric authentication prompt (fingerprint or Face ID) will be displayed.
With successful fingerprint or faceID authentication the registration will be completed.
- Run:
-
Refer to the Logging in guide for full details.
Note: If you've made configuration changes to the Commander CLI manually, please reload your editor window by pressing Ctrl+Shift+P (or Cmd+Shift+P on Mac), then select
Developer: Reload Window.
For KSM Mode
Create a Secrets Manager Application in Keeper Vault
- In the Keeper Vault, go to the Secrets Manager tab to view your existing applications.
- Click Create Application.
- Enter a name for the new Secrets Manager Application.
- Select the shared folder(s) that the application should have access to.
- The application will only be able to access records stored in these selected folders.
- Under Record Permission for Application, choose Can Edit to grant write access to the Vault records.
- Click Generate Access Token to create the application.
- A One-Time Access Token will be generated for the client device.
- Copy or download this token securely — you’ll need it later in the setup process.
Note: Ensure that the "Can Edit" permission is granted when adding a shared folder to the Secrets Manager application.
Create Additional Client Devices (optional):
Once the Secrets Manager Application is created, more Client Devices can be created for the Application from the keeper vault.
See the documented instructions to create additional Client Devices
Install the extension
The Visual Studio Extension can be installed by visiting Extensions tab and search for "Keeper Security".
The extension homepage is published at the link below: https://marketplace.visualstudio.com/items?itemName=KeeperSecurityDev.ks-vscode
If you're using Cursor or any other VS Code Fork, the Keeper extension is also published to the Open VSX Registry here: https://open-vsx.org/extension/KeeperSecurityDev/ks-vscode
Verify Extension Access
- Open VS Code Command Palette (
Ctrl+Shift+P/Cmd+Shift+P) - Type
Keeper Securityto see all available commands
Usage
Available Commands
Once authenticated, you can access the following commands through the Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
| Command | Description | Use Case |
|---|---|---|
| Save in Keeper Security | Save selected text as secret in vault | Save and Replace hardcoded secrets with keeper references |
| Get from Keeper Security | Insert existing secrets from vault as keeper references | Retrieve stored secrets without exposing values |
| Run Securely | Execute commands with injected keeper secrets | Run applications with vault credentials |
| Choose Folder | Select vault folder for storing secrets in there | To store secret in specific folder |
| Generate Password | Generate and store secure passwords in vault | Create new secure credentials |
| Open Logs | View extension activity logs | Debug and monitor extension operations |
| Authenticate (KSM Mode only) | Authenticate KSM using various configuration options. | To use different secrets manager application |
| Switch to CLI / KSM | Switch to CLI / KSM mode for current workspace | Toggle between Commander CLI and KSM modes |
Commands Details:
Save in Keeper Security
-
Using Command Palette
Purpose: Save selected text as a secret in Keeper Security vault and replace it with a keeper reference.
Steps:
- Select text containing a secret (password, token, API key, ...etc)
- Open Command Palette (
Ctrl+Shift+P/Cmd+Shift+P) - Type
Keeper Security: Save in Keeper Securityand select it - Extension will authenticate with Keeper Security (if needed)
- Enter record / field name
- (CLI mode, My Vault only) Choose where the new record should live:
- Use classic permission model — creates the record with classic permission model.
- Use new permission model — creates the record with new permission model.
This prompt appears only when your current storage is
My Vault. If you have already chosen a specific folder viaChoose Folder, the record is added there directly without prompting.Example:
- Current storage =
My Vault→ you'll see the permission-model prompt before the record is created. - Current storage =
Backend / API Secrets (Classic Folder)→ the record is created with classic permission model and added directly to that folder, no prompt. - Current storage =
Team Shared / DB Credentials (Nested Share Folder)→ the record is added directly using the new permission model, no prompt.
- Current storage =
- Extension creates the new item in your Keeper vault
- Selected text is replaced with the keeper reference (
keeper://...) at the user's last cursor position
-
Automatic Secret Detection
Purpose: Automatically detect potential secrets in your code for easy identification and securing.
Features:
- Extension scans files for known secret patterns
- Provides CodeLens for detected secrets
- CodeLens shows
Save in Keeper Securityoption over the secret - Click CodeLens and follow prompts to save detected secret
- The keeper reference will be automatically replaced with detected secret at users last cursor position
Supported File Types:
- Environment Files: eg.
.env,.env.*
Example:

Get from Keeper Security
Purpose: Insert existing Keeper Security secrets into your code as keeper reference without exposing actual values.
Steps:
- Open Command Palette
- Type
Keeper Security: Get from Keeper Securityand select it - Extension shows the list of available records:
- (CLI mode, My Vault only) Classic and NSF records are shown together. Each entry is tagged
(Classic)or(Nested)to make the source clear. - When a specific folder is selected via
Choose Folder, only records from that folder are shown.
- (CLI mode, My Vault only) Classic and NSF records are shown together. Each entry is tagged
- Select a
record, then thefieldyou want to use - Extension inserts the keeper reference at the user's last cursor position
Reference Format: keeper://record-uid/field/item
Example:

Run Securely
Purpose: Execute a command by injecting secret values fetched from Keeper Vault, based on Keeper references defined in a selected .env file.
Steps:
- Open Command Palette
PressCtrl+Shift+P(Windows/Linux) orCmd+Shift+P(macOS) - Search and select
Keeper Security: Run Securely. - Choose a
.envfile:- A dropdown will display available
.envfiles from your current workspace. - Alternatively, select "Browse Environment File" to choose a
.envfile from another location. - If hidden files (like
.env) are not visible in the file dialog:- On macOS, press
Cmd + Shift + . - On Windows, press
Ctrl + H(in some file dialogs) - On Linux, press
Ctrl + H
- On macOS, press
- A dropdown will display available
- Enter the command you want to run.
- Extension creates a terminal with injected secrets from the selected
.envand executes the command.
Note: To make use of the injected secret values in your application, your code must reference the corresponding environment variables (e.g.,
process.env.DB_PASSWORD,os.environ.get("API_KEY"), etc.).
The.envfile should contain Keeper references (e.g.,DB_PASSWORD=keeper://...) which are resolved at runtime when you use Run Securely.
Reference validation: Each
keeper://reference is validated before being resolved. References that contain line breaks, control characters, or record UIDs that are not valid Keeper URL-safe base64 tokens are rejected and skipped — the resolver does not call the Keeper CLI for them and the corresponding environment variable is left as-is. This ensures malformed or tampered.enventries cannot influence what the CLI executes.
Untrusted workspaces: For security reasons, this extension is disabled in VS Code Restricted Mode. To use Run Securely (or any other Keeper Security command) in a workspace, you must explicitly trust the workspace via Workspaces: Manage Workspace Trust.
Example:

Choose Folder
Purpose: Specify the vault folder where secrets for this workspace will be stored.
Steps:
- Open Command Palette
- Type
Keeper Security: Choose Folderand select it - Extension displays available vault folders, including
My Vault(root)- (CLI mode) Each non-root entry is tagged
(Classic Folder)or(Nested Share Folder)for folder type identification.
- (CLI mode) Each non-root entry is tagged
- Select the desired folder for this workspace
- Future
Save in Keeper SecurityandGenerate Passwordoperations will use the selected folder to store the secret in your Keeper Vault.- Selecting
My Vaultdefers the choice to record-creation time: you'll then be prompted for the permission model (classic vs new) each time you save or generate a password.
- Selecting

Generate Password
Purpose: Generate secure passwords and store them in Keeper Security vault.
Steps:
- Open Command Palette
- Type
Keeper Security: Generate Passwordand select it - Enter the
recordname - (CLI mode, My Vault only) Choose where the new record should live:
- Use classic permission model — creates the record with classic permission model.
- Use new permission model — creates the record with new permission model.
This prompt appears only when your current storage is
My Vault. If you have already chosen a specific folder viaChoose Folder, the record is added there directly without prompting.Example:
- Current storage =
My Vault→ you'll see the permission-model prompt before the password is stored. - Current storage =
Backend / API Secrets (Classic Folder)→ the record with auto-generated password is created with classic permission model and added directly to that folder, no prompt. - Current storage =
Team Shared / DB Credentials (Nested Share Folder)→ the record with auto-generated password is added directly using the new permission model, no prompt.
- Current storage =
- The password reference will be inserted at the user's last cursor position
Example:

Open Logs
Purpose: View extension activity logs for debugging and monitoring.
Steps:
- Open Command Palette
- Type
Keeper Security: Open Logsand select it - Extension opens output panel with detailed logs
Example:

Authenticate (KSM Mode Only)
Purpose: Re-authenticate KSM using various configuration options like one-time token, base64 encoded string, or JSON file configuration. Can be use this when you need to use different secrets manager application.
Steps:
- Open Command Palette
- Type
Keeper Security: Authenticateand select it - Choose your preferred authentication method:
- One-Time Token: Enter a one-time access token
- Base64: Enter a base64 encoded configuration string
- JSON Config File: Select a JSON configuration file path
- Enter the corresponding authentication value when prompted
- KSM authenticated successfully
Switch to CLI / KSM
Purpose: Switch the extension mode from CLI (Keeper Commander CLI) to KSM (Keeper Secrets Manager) or vice-versa for the current workspace.
Steps:
- Open Command Palette
- Type
Keeper Security: Switch to CLI/Keeper Security: Switch to KSMand select it - A confirmation dialog will appear asking to reload the window
- Click "Reload Window" to confirm the mode switch
Extension Settings
The extension provides configuration options:
- Open Editor Settings (
Ctrl+,/Cmd+,) - Search for
Keeper Security - Configure the following options:
| Setting | Description | Default |
|---|---|---|
| Debug Enabled | Enable detailed logging for debugging | false |
| Secret Detection | Enable automatic secret detection | true |
| Mode Type | Switch between CLI or KSM mode | cli |
Note: "Debug mode" and "Mode Type" requires reloading the extension to take effect.
Press Ctrl+Shift+P (or Cmd+Shift+P on Mac), then selectDeveloper: Reload Window
Troubleshooting
Debug Mode
Enable debug logging to see detailed information about extension operations:
- Open VS Code Settings (
Ctrl+,/Cmd+,) - Search for "Keeper Security"
- Enable "Debug" option
- Reload the window (
Ctrl+Shift+P(orCmd+Shift+Pon Mac) → "Developer: Reload Window") - Run "Open Logs" command to see detailed logs
Common Issues
Generic Issues (Apply to Both CLI and KSM Modes)
1. Extension General Issues
Problem: Extension takes time to fetch secrets, shows loading continuously, fails to resolve keeper references, latest records not displaying from keeper vault, or other unexpected issues.
Solutions:
- Reload Editor Window (
Ctrl+Shift+P(orCmd+Shift+Pon Mac) → "Developer: Reload Window") - For CLI Mode: Ensure Keeper Commander CLI is authenticated with Persistent login or Biometric login
- For KSM Mode: Verify KSM authentication is correct
- Check internet connection and firewall settings
- Verify Keeper vault accessibility
- Clear extension cache if issues persist
2. Commands Not Available
Problem: Keeper Security extension commands don't appear in Command Palette
Solution:
- Ensure you have installed correct
Keeper Securityextension. - Reload VS Code window if commands still don't appear
- Check the extension is properly enabled/activated
3. Extension Not Loading
Problem: Extension fails to activate or shows errors
Solutions:
- Check VS Code version compatibility (requires
1.99.0or later) - Verify Node.js version (requires 18.0.0 or later)
- Try reinstalling the extension
4. Run Securely Command Issues
Problem: Commands don't have access to injected secrets
Solutions:
- To run commands with secrets injected, use the
Keeper Security: Run Securelycommand from the Command Palette. - Verify your
.envfile contains validkeeper://references - Ensure all referenced secrets exist in your vault
- Ensure other unnecessary terminals are deleted and Check that the latest terminal is created by the extension
5. Folder Selection Issues
Problem: Cannot select or change vault folders
Solutions:
- Ensure you have proper permissions to folders in your vault
- For CLI Mode: Check that Keeper Commander CLI has proper permissions
- For KSM Mode: Verify that your Secrets Manager application has access to the shared folder(s)
- Verify folder structure in your vault
- Try reloading the window.
6. Mode Type Issue from settings
Problem: Mode not changing from settings
Solutions:
-
After changing mode type from dropdown, perform Reload Editor Window (
Ctrl+Shift+P(orCmd+Shift+Pon Mac) → "Developer: Reload Window")OR
-
Try running command
Switch to CLIorSwitch to KSMaccordingly from command palette to toggle between mode(s)
CLI Mode Specific Issues
7. Keeper Commander CLI Not Found
Problem: "Keeper Commander CLI is not installed" error
Solutions:
- Install Keeper Commander CLI Binary for your OS by following the installation guide
- Ensure CLI is accessible from your system PATH
- Verify installation with
keeper --versionin terminal
8. Authentication Failures (CLI Mode)
Problem: "Keeper Commander CLI is not authenticated" errors
Solutions:
- Open your terminal or command prompt.
- Run the following command:
keeper shell - If you're not already logged in, you'll be prompted to enter your Keeper credentials. Follow the prompts to complete the login process.
- Upon successful login, you'll see the command prompt change to:
My Vault> - Then follow these steps to enable Persistent login or Biometric login
Refer to the Logging in guide for full details.
Note: If you've made configuration changes to the Commander CLI manually, please reload your editor window by pressing Ctrl+Shift+P (or Cmd+Shift+P on Mac), then select
Developer: Reload Window.
KSM Mode Specific Issues
9. Command failing for Save and Generate Password (KSM Mode)
Problem: Performed correct steps but still command failing
Solutions:
- Verify that you have authenticated correctly. See the reference for details
- Ensure that you have the "Can Edit" permission for the shared folder in your Secrets Manager application.
License
This extension is licensed under the MIT License.