Security Policies
Security policies define absolute boundaries that no team or project can override.
Security Section Overview
Section titled “Security Section Overview”{ "security": { "blocked_plugins": [], "blocked_mcp_servers": [], "blocked_base_images": [], "allow_stdio_mcp": false, "allowed_stdio_prefixes": [] }}Blocking Plugins
Section titled “Blocking Plugins”Block plugins by name pattern:
{ "security": { "blocked_plugins": [ "malicious-*", "*experimental*", "*beta*", "untrusted-tool" ] }}Patterns use glob syntax (fnmatch) with case-insensitive matching.
| Pattern | Matches |
|---|---|
malicious-* | malicious-tool, malicious-plugin |
*experimental* | experimental-v1, my-experimental-tool |
*beta* | feature-beta, beta-release |
untrusted-tool | Exact match only |
Blocking MCP Servers
Section titled “Blocking MCP Servers”Block MCP servers by name or URL pattern:
{ "security": { "blocked_mcp_servers": [ "*.untrusted.com", "insecure-api", "*localhost*" ] }}Both server names and URL domains are matched against these patterns.
Blocking Docker Images
Section titled “Blocking Docker Images”Block Docker base images:
{ "security": { "blocked_base_images": [ "*:latest", "docker.io/*", "untrusted-registry.com/*" ] }}Plugin Allowlist
Section titled “Plugin Allowlist”The defaults.allowed_plugins field controls which plugins can be enabled (governance whitelist):
{ "defaults": {}}Missing or undefined = all plugins allowed.
{ "defaults": { "allowed_plugins": ["*"] }}Explicit wildcard = all plugins allowed.
{ "defaults": { "allowed_plugins": [] }}Empty array = no plugins allowed (lockdown mode).
{ "defaults": { "allowed_plugins": [ "*@internal", "code-review@*", "approved-tool@official" ] }}Only matching plugins are allowed.
Invariant Rules
Section titled “Invariant Rules”SCC enforces two invariants at config validation:
enabled ⊆ allowed: Enabled plugins must be in the allowed listenabled ∩ blocked = ∅: Enabled plugins must not be blocked by security
If these invariants are violated, config validation fails.
Stdio MCP Policy
Section titled “Stdio MCP Policy”Stdio MCP servers run local processes with elevated privileges. They’re disabled by default:
{ "security": { "allow_stdio_mcp": false }}To enable with restrictions:
{ "security": { "allow_stdio_mcp": true, "allowed_stdio_prefixes": [ "/usr/local/bin/", "/opt/approved-tools/" ] }}| Setting | Effect |
|---|---|
allow_stdio_mcp: false | All stdio servers blocked |
allow_stdio_mcp: true + no prefixes | Any absolute path allowed |
allow_stdio_mcp: true + prefixes | Only matching paths allowed |
Two Trust Sources
Section titled “Two Trust Sources”Understanding the trust model is critical:
SCC-Managed MCP Servers
Section titled “SCC-Managed MCP Servers”Servers declared in org/team/project config:
blocked_mcp_serverspatterns applyallow_stdio_mcpgate appliesallowed_stdio_prefixesvalidation applies- Delegation controls who can add them
Plugin-Bundled MCP Servers
Section titled “Plugin-Bundled MCP Servers”Servers inside plugin .mcp.json files:
- Not governed by
blocked_mcp_servers - To restrict, block the entire plugin
- Plugins are atomic trust units
Example: Strict Security Config
Section titled “Example: Strict Security Config”{ "security": { "blocked_plugins": [ "*experimental*", "*beta*", "*untrusted*", "*malicious*" ], "blocked_mcp_servers": [ "*.untrusted.com", "*localhost*", "*127.0.0.1*" ], "blocked_base_images": [ "*:latest", "docker.io/*" ], "allow_stdio_mcp": false }, "defaults": { "allowed_plugins": [ "*@sandboxed-code-official", "*@internal" ] }}Debugging Security Blocks
Section titled “Debugging Security Blocks”See what’s blocked:
scc config explain --field blocked_itemsOutput shows which patterns blocked which resources:
blocked_items: - experimental-tool (blocked_by: *experimental*, source: org.security) - beta-plugin (blocked_by: *beta*, source: org.security)