Security Documentation Index

June 17, 2026 ยท View on GitHub

Complete guide to VT Code's security documentation.

Quick Start

New to VT Code Security? Start here:

Core Documentation

For Users

Security Guide

  • Security features overview
  • Configuration instructions
  • Best practices
  • Incident response

For Developers

Security Model

  • Complete security architecture
  • Defense-in-depth layers
  • Threat model
  • Adding new commands safely
  • Security testing procedures

Web Fetch Security

  • Web fetch security policies

For Organizations

Tool Policies

  • Command execution policies
  • Approval workflows
  • Policy configuration

Security Features by Layer

Layer 1: Command Allowlist

  • Location: vtcode-core/src/execpolicy/mod.rs
  • Documentation: Security Model - Layer 1
  • Only 9 commands allowed: ls, cat, cp, head, printenv, pwd, rg, sed, which

Layer 2: Argument Validation

  • Location: vtcode-core/src/execpolicy/mod.rs
  • Documentation: Security Model - Layer 2
  • Per-command validators: Explicit flag allowlists, execution flag blocking

Layer 3: Workspace Isolation

  • Location: vtcode-core/src/execpolicy/mod.rs
  • Documentation: Security Model - Layer 3
  • Path validation: Normalization, symlink resolution, boundary checks

Layer 4: Sandbox Integration

  • Location: vtcode-core/src/sandbox/, vtcode-core/src/tools/bash_tool.rs
  • Documentation: Security Guide - Sandbox
  • Anthropic sandbox: Filesystem isolation, network allowlist

Layer 5: Human-in-the-Loop

Configuration

Tool Policy

  • File: ~/.config/vtcode/tool_policy.toml
  • Documentation: Tool Policies

Workspace Configuration

Sandbox Configuration

Reporting Security Issues

Responsible Disclosure

  1. Do Not Disclose Publicly - Report privately first
  2. GitHub Security Advisory - Use GitHub's security advisory feature
  3. Provide Details - Include reproduction steps
  4. Coordinate Disclosure - Allow time for fix

Contact

Documentation Version: 1.0 Last Updated: October 25, 2025 Security Model Version: 1.0