Managing Plugins

Plugins extend Claude Code with additional capabilities. As a team leader, you select which plugins your team uses.

Understanding Plugin Sources

Plugins come from marketplaces—repositories of approved plugins.

Official Marketplace

The official marketplace is maintained by SCC:

{
  "marketplaces": {
    "sandboxed-code-official": {
      "source": "github",
      "owner": "CCimen",
      "repo": "sandboxed-code-plugins"
    }
  }
}

Custom Marketplaces

Your organization may have internal marketplaces:

{
  "marketplaces": {
    "internal-tools": {
      "source": "github",
      "owner": "your-org",
      "repo": "scc-plugins"
    }
  }
}

Adding Plugins to Your Team

Plugin Reference Format

plugin-name@marketplace-name

Examples:

scc-safety-net@sandboxed-code-official
java-analyzer@internal-tools
react-devtools@frontend-marketplace

In Your Team Config

{
  "additional_plugins": [
    "scc-safety-net@sandboxed-code-official",
    "java-analyzer@internal-tools",
    "spring-boot-helper@internal-tools"
  ]
}

Essential Plugins

scc-safety-net

The most important plugin. Blocks destructive git commands:

Blocked Command	Why
`git push --force`	Overwrites remote history
`git reset --hard`	Discards uncommitted changes
`git branch -D`	Force-deletes branches
`git clean -fd`	Deletes untracked files
`git checkout/restore`	Can overwrite local changes

Enable in your config:

"additional_plugins": [
  "scc-safety-net@sandboxed-code-official"
]

Plugin Governance

What Gets Blocked

Organization admins can block plugins by pattern:

{
  "security": {
    "blocked_plugins": [
      "*experimental*",
      "*beta*",
      "untrusted-*"
    ]
  }
}

Even if you add these to your team config, they will be filtered out.

What You Can Add

Your additions must:

Come from an approved marketplace
Not match any blocked_plugins pattern
Match allowed_plugins pattern (if org specifies one)

Allowing Developer Additions

You can let developers add project-specific plugins by opening two gates:

Allow their team in delegation.teams.allow_additional_plugins
If defaults.allowed_plugins is set, the plugin name must match one of those patterns

{
  "defaults": {
    "allowed_plugins": ["team-*", "project-*"]
  },
  "delegation": {
    "teams": {
      "allow_additional_plugins": ["backend", "frontend"]
    },
    "projects": {
      "inherit_team_delegation": true
    }
  }
}

Teams still need profiles.<team>.delegation.allow_project_overrides: true for .scc.yaml additions.

Restrictive Approach

{
  "delegation": {
    "teams": {
      "allow_additional_plugins": []
    }
  }
}

Developers cannot add any plugins beyond team defaults.

Permissive Approach

{
  "defaults": {
    "allowed_plugins": ["*"]
  },
  "delegation": {
    "teams": {
      "allow_additional_plugins": ["*"]
    }
  }
}

Developers can add any non-blocked plugin from approved marketplaces.

Auditing Plugins

See what plugins are currently installed:

scc audit plugins

Output:

Team: backend
Effective plugins:
  ✓ scc-safety-net@sandboxed-code-official (from: team)
  ✓ java-analyzer@internal (from: team)
  ✓ project-linter@internal (from: project/.scc.yaml)

Blocked plugins (attempted but filtered):
  ✗ experimental-tool@internal (matches: *experimental*)

Troubleshooting

Plugin not appearing

Check the plugin is actually present in the effective config
Terminal window
```
scc config explain --field plugins
```
Check for delegation/allowlist denials
Terminal window
```
scc config explain --field denied
```
Check for security blocks
Terminal window
```
scc config explain --field blocked
```
Check spelling of plugin and marketplace names
Force refresh config
Terminal window
```
scc update --force
```

Plugin blocked unexpectedly

The plugin matches a blocked_plugins pattern. Contact your org admin if you believe this is incorrect.

Different plugins on different machines

Ensure everyone has the latest config:

scc update

Check effective config:

scc config explain --field plugins