Skip to content

Governance Audit Plugin

Purpose

The SailPoint Entro VS Code Governance Audit plugin provides automatic audit logging for Model Context Protocol (MCP) tool calls executed from GitHub Copilot in Visual Studio Code. It captures agent interactions with external tools and gives teams a verifiable audit trail.

What This Integration Is

The SailPoint Entro Governance Audit plugin passively intercepts MCP tool calls and forwards audit metadata to SailPoint Entro.

Note

No code execution is modified. No tool output is changed.

Key Capabilities

  • Policy compliance: Enforce policies for agentic AI activity.

  • Automatic audit logging: Capture remote MCP tool calls.

  • Agentic visibility: Show how AI tools interact with external services.

  • Security and compliance: Support governance requirements for AI workflows.

Deployment Model

Install the plugin from the SailPoint Entro marketplace in VS Code for an individual user, or recommend it in a shared workspace. The plugin communicates outbound to the SailPoint Entro Control Plane using an authenticated token.

Installation

Use VS Code Plugin Installation for the full flow:

High-Level Architecture

+---------------------+           +------------------------+
|   VS Code + Copilot |           |     Entro Console      |
|  (Local Environment)|           |    (Control Plane)     |
+---------+-----------+           +-----------+------------+
          |                                   ^
          |        Audit Log Metadata         |
          +-----------------------------------+
                   (Auth: Entro Token)

Troubleshooting and Validation

  1. Check the plugin is installed

    Open the GitHub Copilot plugin list in VS Code and confirm agentic-audit@entro-security is installed for your user.

  2. Execute a test MCP tool call

    Perform a test MCP tool call to validate functionality.

Common issues

Issue Cause Resolution
Marketplace add fails Invalid GitHub token Verify token
Plugin not found Marketplace missing Re-add marketplace
No logs Plugin not installed Install the plugin
Auth error Token expired Regenerate token

Support

Contact SailPoint Entro Support through your Customer Success Manager or approved support channels.

Permissions Reference

Summary

The VS Code Governance Audit plugin uses the minimum access required to intercept and log MCP tool call metadata.

Data collected

  • Tool name

  • Invocation timestamp

  • Tool parameters

  • Host name

  • System username

  • Signed-in account email, when available

  • Used identity — masked auth token, "oauth", or "local-process"

  • User prompt

  • MCP server name

  • MCP server type

  • MCP server address for remote servers

  • MCP server command for local servers

  • MCP server environment variables for local servers

  • Tool call result

Security controls

  • Token-based authentication

  • TLS 1.2+ encrypted transport

  • Stateless processing with no local secret storage