Safety Net Plugin

The scc-safety-net plugin is the most important plugin for organizations. It blocks destructive git commands that could cause data loss.

What It Blocks

Command	Why It’s Dangerous
`git push --force`	Overwrites remote history
`git push -f`	Same as above (shorthand)
`git reset --hard`	Discards uncommitted changes
`git branch -D`	Force-deletes branches
`git clean -fd`	Deletes untracked files
`git checkout <file>`	Can overwrite local changes
`git restore <file>`	Can overwrite local changes
`git stash drop`	Permanently deletes stashed changes
`git stash clear`	Deletes all stashes permanently

Enabling Safety Net

Add to your organization defaults:

{
  "defaults": {
    "enabled_plugins": [
      "scc-safety-net@sandboxed-code-official"
    ]
  }
}

Or at the team level:

{
  "profiles": {
    "backend": {
      "additional_plugins": [
        "scc-safety-net@sandboxed-code-official"
      ]
    }
  }
}

How It Works

The safety net plugin uses Claude Code hooks to intercept bash commands before execution:

Claude attempts to run a git command
The hook inspects the command
If it matches a dangerous pattern, the command is blocked
Claude receives an error explaining why

Example output when blocked:

Blocked by scc-safety-net: git push --force
This command can overwrite remote history and cause data loss.
Use 'git push' without --force instead.

Safe Alternatives

Blocked Command	Safe Alternative
`git push --force`	`git push --force-with-lease` (still checks remote)
`git reset --hard`	`git stash` (preserves changes)
`git branch -D`	`git branch -d` (only deletes merged branches)
`git clean -fd`	`git clean -fdn` (dry run first)
`git stash drop`	Review stash contents first with `git stash show`
`git stash clear`	Backup important stashes before clearing

Policy Modes

Organizations can configure the safety net behavior:

{
  "security": {
    "safety_net": {
      "action": "block"
    }
  }
}

Mode	Behavior
`block`	Commands are blocked (default)
`warn`	Commands are allowed with warning
`allow`	Safety net disabled

Granular Control

For fine-grained control, configure individual command categories:

{
  "security": {
    "safety_net": {
      "action": "block",
      "block_force_push": true,
      "block_reset_hard": true,
      "block_branch_force_delete": true,
      "block_checkout_restore": true,
      "block_clean": true,
      "block_stash_destructive": true
    }
  }
}

Option	Default	Description
`block_force_push`	`true`	Block `git push --force`, `-f`, and `+refspec`
`block_reset_hard`	`true`	Block `git reset --hard`
`block_branch_force_delete`	`true`	Block `git branch -D` (force delete)
`block_checkout_restore`	`true`	Block `git checkout -- <file>` and `git restore <file>`
`block_clean`	`true`	Block `git clean -f`
`block_stash_destructive`	`true`	Block `git stash drop` and `git stash clear`

Exceptions for Specific Projects

Some projects may legitimately need force-push (e.g., release branches). Configure at the project level:

plugins:
  scc-safety-net:
    allow_force_push: true

This requires:

Team has allow_project_overrides: true
The project explicitly opts in
Org admin has not blocked this via policy

Auditing

Check if safety net is active:

scc audit plugins

Output:

Team: backend
Effective plugins:
  ✓ scc-safety-net@sandboxed-code-official (from: org.defaults)

Debugging

If commands are unexpectedly blocked:

# Check what plugins are active
scc config explain --field plugins

# Check policy mode
scc config explain --field security.safety_net.action

Best Practices

Enable globally: Add to defaults.enabled_plugins for all users
Block at org level: Never allow allow mode in security-sensitive orgs
Audit regularly: Run scc audit plugins to ensure coverage
Educate developers: Explain why these protections exist

Plugin Source

The safety net plugin is maintained in the official SCC plugin marketplace:

{
  "marketplaces": {
    "sandboxed-code-official": {
      "source": "github",
      "owner": "CCimen",
      "repo": "sandboxed-code-plugins"
    }
  }
}