Antivirus & Device Guard exclusions
Windows Defender, Device Guard, and corporate EDR agents frequently block CLI binaries installed via winget, scoop, npm, or pip. Symptoms:
spawn UNKNOWN/EPERMwhen the extension tries to launch the tool.- Error: “file cannot be accessed by the system” / “Device Guard is preventing…”
- The CLI is installed (you can see it in
where/Get-Command), but every run fails.
This page lists the exact folders you should add to your antivirus exclusion list so Quality Hub tools run reliably. Excluding the specific sub-folder is safer than excluding %LOCALAPPDATA% wholesale.
For Docker slowdowns and repo-wide scans, also see Installation → Antivirus and real-time scanning (Windows).
How to add an exclusion (Windows 11)
- Settings → Privacy & security → Windows Security.
- Virus & threat protection → Manage settings → Add or remove exclusions.
- Click Add an exclusion → Folder → paste the path.
For corporate machines managed by MDM / Intune, ask your admin — local exclusions may be overridden by policy.
Trivy
%LOCALAPPDATA%\Microsoft\WinGet\Packages\AquaSecurity.Trivy_Microsoft.Winget.Source_8wekyb3d8bbwe\%LOCALAPPDATA%\Microsoft\WinGet\Links\trivy.exe%USERPROFILE%\scoop\shims\trivy.exe%USERPROFILE%\scoop\apps\trivy\Alternative: start Docker Desktop — the extension falls back to the container image and no AV exclusion is needed.
Hadolint
%LOCALAPPDATA%\Microsoft\WinGet\Packages\hadolint.hadolint_Microsoft.Winget.Source_*%LOCALAPPDATA%\Microsoft\WinGet\Links\hadolint.exe%USERPROFILE%\scoop\shims\hadolint.exeSquawk
<project>\node_modules\.bin\squawk.cmd%APPDATA%\npm\squawk.cmd%USERPROFILE%\.cargo\bin\squawk.exeSemgrep
%LOCALAPPDATA%\Programs\Python\Python3*\Scripts\semgrep.exe%APPDATA%\Python\Python3*\Scripts\semgrep.exe%USERPROFILE%\.local\bin\semgrep.exeShellCheck
%LOCALAPPDATA%\Microsoft\WinGet\Packages\koalaman.shellcheck_*%USERPROFILE%\scoop\shims\shellcheck.exegolangci-lint
%USERPROFILE%\go\bin\golangci-lint.exe%LOCALAPPDATA%\Microsoft\WinGet\Packages\golangci.golangci-lint_*Oxlint / Biome (Rust-based — often flagged)
<project>\node_modules\.bin\oxlint.cmd<project>\node_modules\.bin\biome.cmd%APPDATA%\npm\oxlint.cmd%APPDATA%\npm\biome.cmdBearer
%USERPROFILE%\scoop\shims\bearer.exe%USERPROFILE%\scoop\apps\bearer\Or run via Docker — the extension auto-falls-back when Docker is available.
markdownlint / prisma-lint / dotenv-linter / misspell / gitleaks
These are all usually in:
<project>\node_modules\.bin\%APPDATA%\npm\%USERPROFILE%\scoop\shims\%USERPROFILE%\.cargo\bin\act (GitHub Actions local runner)
%LOCALAPPDATA%\Microsoft\WinGet\Packages\nektos.act_*%LOCALAPPDATA%\Microsoft\WinGet\Links\act.exe%USERPROFILE%\scoop\shims\act.exeAlso requires Docker Desktop running.
General recommendation
If your security policy allows it, add these parent folders once:
%LOCALAPPDATA%\Microsoft\WinGet\Packages%LOCALAPPDATA%\Microsoft\WinGet\Links%USERPROFILE%\scoop%APPDATA%\npm%USERPROFILE%\.cargo\bin%USERPROFILE%\go\binThis covers 95% of developer CLI tools without per-binary maintenance.