GitOps Configuration

GitOps (federated) configuration lets your team maintain its own config repository. This provides more autonomy while still respecting organization security boundaries.

When to Use GitOps

Medium to large teams
Frequent configuration changes
Teams want PR-based review process
Need version history for compliance
Different teams need different update cycles

How It Works

Setting Up

Create your team’s config repository

Create a new repository (public or private) to hold your team’s config.
- Directorybackend-team-scc-config/
  - team-config.json
  - README.md

Create team-config.json

{
  "schema_version": "1.0.0",
  "enabled_plugins": [
    "scc-safety-net@sandboxed-code-official",
    "java-analyzer@internal-marketplace"
  ]
}

Ask org admin to configure federation

The org config needs to point to your repository:

{
  "profiles": {
    "backend": {
      "config_source": {
        "source": "github",
        "owner": "acme",
        "repo": "backend-team-scc-config"
      },
      "trust": {
        "inherit_org_marketplaces": true,
        "allow_additional_marketplaces": false
      }
    }
  }
}

Validate your config

scc team validate --file team-config.json

Source Types

GitHub

"config_source": {
  "source": "github",
  "owner": "org-name",
  "repo": "team-config-repo",
  "branch": "main",
  "path": "team-config.json"
}

For private repos, org admin configures token auth.

GitLab

"config_source": {
  "source": "git",
  "url": "git@gitlab.example.com:team/config.git",
  "branch": "main"
}

HTTPS Endpoint

"config_source": {
  "source": "url",
  "url": "https://config.example.com/team/backend.json",
  "headers": {
    "Authorization": "Bearer ${CONFIG_TOKEN}"
  }
}

Trust Settings

Org admin controls what your federated config can do:

inherit_org_marketplaces

"trust": {
  "inherit_org_marketplaces": true
}

true: Your team can use all org-approved marketplaces
false: Your team only uses marketplaces you define

allow_additional_marketplaces

"trust": {
  "allow_additional_marketplaces": true,
  "marketplace_source_patterns": [
    "github.com/acme/**"
  ]
}

true: Your team can add custom marketplaces (within patterns)
false: Your team can only use org-defined marketplaces

Config File Structure

{
  "schema_version": "1.0.0",

  "enabled_plugins": [
    "plugin-name@marketplace"
  ],

  "disabled_plugins": [
    "legacy-tool@marketplace"
  ],

  "marketplaces": {
    "team-marketplace": {
      "source": "github",
      "owner": "acme",
      "repo": "team-plugins"
    }
  }
}

Workflow: Making Changes

Create a branch
Terminal window
```
git checkout -b add-new-plugin
```

Edit team-config.json

"enabled_plugins": [
  "scc-safety-net@sandboxed-code-official",
  "new-tool@marketplace"  // ← Added
]

Validate locally

scc team validate --file team-config.json

Create PR and get review
Merge to main

Developers get update

scc update
# or automatic on next session start

Caching and Updates

Team configs are cached locally:

Setting	Default	Description
Cache TTL	24 hours	How long before re-fetching
Force refresh	`scc update`	Immediately fetch latest
Offline mode	Uses cache	Works without network

Troubleshooting

”Trust validation failed”

Your config tries to use something the org doesn’t permit:

scc team validate backend

Common causes:

Adding a marketplace when allow_additional_marketplaces: false
Plugin matches org’s blocked_plugins pattern

”Config fetch failed”

Check repository URL is correct
Verify authentication token is valid (for private repos)
Ensure branch exists

”Stale config”

Force refresh:

scc update --force

Or clear cache:

rm -rf ~/.cache/scc/team-config/
scc update