Run Guard
Table of Contents
- Overview
- Guard Sources
- Manual Toggle
- Definition Flag
- Pattern Matching
- Confirmation Dialog
- Visual Indicator
- Compound Task Integration
- Combining Guard Sources
- Next Steps
New in v1.8.0 Run Guard β prevent accidental execution of sensitive tasks with confirmation dialogs and visual badges.
Overview
Run Guard prevents accidental execution of destructive or sensitive tasks by requiring explicit confirmation before they run. A π‘οΈ badge appears on guarded tasks directly in the tree view, and a confirmation dialog is shown whenever a guarded task is triggered β whether from the tree, a compound task queue, or any other execution path.
Guard Sources
There are three independent ways to mark a task as guarded. They can be combined freely; any one matching source is sufficient to require confirmation.
| Priority | Source | Best for |
|---|---|---|
| 1 (highest) | Manual toggle | Ad-hoc protection; per-user per-workspace; no file changes needed |
| 2 | Definition flag | Source-controlled guard on custom workspace tasks |
| 3 (lowest) | Pattern matching | Broad coverage of discovered tasks by name |
Manual Toggle
Toggle a run guard on any task directly from the tree view without editing any file.
Adding a Run Guard
- Right-click any task in the tree
- Select Add Run Guard from the context menu
- The task immediately shows a π‘οΈ badge
Removing a Run Guard
- Right-click any guarded task (shows the π‘οΈ badge)
- Select Remove Run Guard from the context menu
- The badge is removed immediately
Notes
- The guard state is stored in VS Codeβs workspace state β it persists across sessions but is workspace-specific and not committed to source control
- Applies to any task type: npm scripts, Makefile targets, Gradle tasks, custom workspace tasks, etc.
- The state is stored per canonical task ID, so it remains stable even if task labels change due to grouping
Definition Flag
Declare a guard directly in your .workspace-tasks.json file with "confirm": true. This is source-controlled and applies to any developer who opens the workspace.
{
"tasks": [
{
"label": "Deploy to Production",
"type": "shell",
"command": "./deploy.sh --env prod",
"confirm": true
},
{
"label": "Drop Database",
"type": "shell",
"command": "npm run db:drop",
"confirm": true
}
]
}
Notes
- Only applies to tasks defined in
.workspace-tasks.json(custom workspace tasks) - Committed to source control β guards shared with the whole team automatically
- The
"confirm"field defaults tofalseand is optional
Pattern Matching
Use the workspaceTasks.task.confirmPatterns setting to guard any task whose label matches a regular expression pattern. This works for all task types, including discovered tasks from package.json, Makefile, build.gradle, and others.
{
"workspaceTasks.task.confirmPatterns": [
"deploy.*",
"db:drop",
"terraform apply",
".*:prod$"
]
}
Patterns are matched case-insensitively against the taskβs original label (before any grouping prefix is applied).
Settings Reference
workspaceTasks.task.confirmPatterns
Type: array of string Default: [] Scope: resource
Array of regular expression strings (case-insensitive) matched against task labels. Any task whose label matches at least one pattern will prompt for confirmation before running.
{
"workspaceTasks.task.confirmPatterns": [
"deploy.*",
"db:drop",
"terraform apply"
]
}
Examples:
| Pattern | Matches |
|---|---|
deploy.* | deploy, deploy-prod, deploy to staging |
db:drop | db:drop (exact) |
.*:prod$ | deploy:prod, release:prod |
terraform | Any label containing terraform |
Invalid patterns (bad regex syntax) are silently skipped β they do not throw errors or prevent other patterns from working.
Confirmation Dialog
When a guarded task is triggered, a modal dialog appears before the task runs:
Run guarded task?
Task name is marked as a guarded task. Are you sure you want to run it?
[ Run Task ] [ Cancel ]
- Clicking Run Task proceeds with execution
- Clicking Cancel or dismissing the dialog cancels execution entirely β no task state is changed
- For compound tasks in sequential mode, cancelling any step stops the entire sequence
- For compound tasks in parallel mode, cancelling one taskβs dialog skips only that task; other parallel tasks that were confirmed still run
Visual Indicator
Guarded tasks show a π‘οΈ badge in the tree view. The badge color uses the themeβs list.warningForeground color so it integrates naturally with your active theme.
The badge appears on:
- Individual task items
- Favorite copies of guarded tasks
- Recent task copies of guarded tasks
The badge does not appear on compound task group headers β only on individual runnable items.
Compound Task Integration
Run Guard integrates fully with compound task queues:
Sequential Mode
If a user cancels the confirmation dialog for any task in a sequential compound run, the entire sequence stops at that point. Tasks that already ran are unaffected; the remaining tasks in the queue do not execute.
Parallel Mode
Each guarded task in a parallel compound run shows its own confirmation dialog. Cancelling one dialog skips only that individual task; all other tasks in the parallel group continue normally.
Restart Behavior
When a task is restarted (via the context menu Restart action), the guard dialog is not shown. A restart is an explicit user action, so the confirmation is considered implicit.
Combining Guard Sources
All three guard sources are evaluated independently. A task is guarded if any source marks it:
isGuarded = manualToggle OR definitionFlag OR patternMatch
For example, a task can be guarded by a confirmPatterns pattern in the teamβs shared settings.json and also have an individual team member override a manual toggle. Both sources arriving at the same task is harmless β the confirmation dialog only appears once.
Next Steps
- Running Tasks β Full task execution options
- Compound Tasks (Queues) β Sequential and parallel task sequences
- Custom Workspace Tasks β
.workspace-tasks.jsonreference including theconfirmfield - Configuration β Full settings reference