Security Policies

Security policies define absolute boundaries that no team or project can override.

Security Section Overview

{
  "security": {
    "blocked_plugins": [],
    "blocked_mcp_servers": [],
    "allow_stdio_mcp": false,
    "allowed_stdio_prefixes": []
  }
}

Blocking Plugins

Block plugins by name pattern:

{
  "security": {
    "blocked_plugins": [
      "malicious-*",
      "*experimental*",
      "*beta*",
      "untrusted-tool"
    ]
  }
}

Patterns use glob syntax (fnmatch) with case-insensitive matching. Patterns without @ match the plugin name across all marketplaces. Use @marketplace to target a specific marketplace.

Pattern	Matches
malicious-*	malicious-tool, malicious-plugin
*experimental*	experimental-v1, my-experimental-tool
*beta*	feature-beta, beta-release
untrusted-tool	untrusted-tool@any-marketplace

Danger

If a plugin matches a blocked pattern, no team or project can use it. This is absolute.

Blocking MCP Servers

Block MCP servers by name, URL, domain, or stdio command pattern:

{
  "security": {
    "blocked_mcp_servers": [
      "*.untrusted.com",
      "insecure-api",
      "*localhost*"
    ]
  }
}

Patterns are matched against:

• Server name
• Full URL
• URL domain
• Stdio command path

Plugin Allowlist

The defaults.allowed_plugins field controls which plugins can be enabled (governance whitelist):

Unrestricted

{
  "defaults": {}
}

Missing or undefined = all plugins allowed.

Explicit Unrestricted

{
  "defaults": {
    "allowed_plugins": ["*"]
  }
}

Explicit wildcard = all plugins allowed.

Deny All

{
  "defaults": {
    "allowed_plugins": []
  }
}

Empty array = no plugins allowed (lockdown mode).

Specific Whitelist

{
  "defaults": {
    "allowed_plugins": [
      "*@internal",
      "code-review@*",
      "approved-tool@claude-plugins-official"
    ]
  }
}

Only matching plugins are allowed.

Invariant Rules

SCC enforces these invariants at runtime when computing effective config:

1. enabled ⊆ allowed: Enabled plugins must be in the allowed list
2. enabled ∩ blocked = ∅: Enabled plugins must not be blocked by security

Violations are surfaced as blocked/denied items in scc config explain. scc org validate does not currently fail on these invariants.

Stdio MCP Policy

Stdio MCP servers run local processes with elevated privileges. They’re disabled by default:

{
  "security": {
    "allow_stdio_mcp": false
  }
}

To enable with restrictions:

{
  "security": {
    "allow_stdio_mcp": true,
    "allowed_stdio_prefixes": [
      "/usr/local/bin/",
      "/opt/approved-tools/"
    ]
  }
}

Setting	Effect
allow_stdio_mcp: false	All stdio servers blocked
allow_stdio_mcp: true + no prefixes	Any absolute path allowed
allow_stdio_mcp: true + prefixes	Only matching paths allowed

Caution

Stdio MCP servers can access the mounted workspace, network, and environment variables. Enable with care.

Two Trust Sources

Understanding the trust model is critical:

SCC-Managed MCP Servers

Servers declared in org/team/project config:

• blocked_mcp_servers patterns apply
• allow_stdio_mcp gate applies
• allowed_stdio_prefixes validation applies
• Delegation controls who can add them

Plugin-Bundled MCP Servers

Servers inside plugin .mcp.json files:

• Not governed by blocked_mcp_servers
• To restrict, block the entire plugin
• Plugins are atomic trust units

Note

If you allow a plugin, you implicitly allow its bundled MCP servers. To prevent this, block the plugin itself.

Example: Strict Security Config

{
  "security": {
    "blocked_plugins": [
      "*experimental*",
      "*beta*",
      "*untrusted*",
      "*malicious*"
    ],
    "blocked_mcp_servers": [
      "*.untrusted.com",
      "*localhost*",
      "*127.0.0.1*"
    ],
    "allow_stdio_mcp": false
  },
  "defaults": {
    "allowed_plugins": [
      "*@sandboxed-code-official",
      "*@internal"
    ]
  }
}

Debugging Security Blocks

See what’s blocked:

scc config explain --field blocked

Use --json for machine-readable details:

scc config explain --json | jq '.data.blocked_items'