Skip to content
SCC CLI

Managing Plugins

Plugins extend the AI coding agent with additional capabilities. As a team leader, you select which plugins your team uses. Claude Code and Codex have different native plugin surfaces — SCC unifies governance at the approval/bundle level.

Understanding Plugin Sources

Section titled “Understanding Plugin Sources”

Plugins come from marketplaces—repositories of approved plugins.

Official Marketplace

Section titled “Official Marketplace”

The official marketplace is maintained by SCC:

{
  "marketplaces": {
    "sandboxed-code-official": {
      "source": "github",
      "owner": "CCimen",
      "repo": "sandboxed-code-plugins"
    }
  }
}

Custom Marketplaces

Section titled “Custom Marketplaces”

Your organization may have internal marketplaces:

{
  "marketplaces": {
    "internal-tools": {
      "source": "github",
      "owner": "your-org",
      "repo": "scc-plugins"
    }
  }
}

Adding Plugins to Your Team

Section titled “Adding Plugins to Your Team”

Plugin Reference Format

Section titled “Plugin Reference Format”
plugin-name@marketplace-name

Examples:

  • scc-safety-net@sandboxed-code-official
  • java-analyzer@internal-tools
  • react-devtools@frontend-marketplace

In Your Team Config

Section titled “In Your Team Config”
{
  "additional_plugins": [
    "scc-safety-net@sandboxed-code-official",
    "java-analyzer@internal-tools",
    "spring-boot-helper@internal-tools"
  ]
}

Essential Plugins

Section titled “Essential Plugins”

scc-safety-net

Section titled “scc-safety-net”

The most important plugin. Blocks destructive git commands:

Blocked CommandWhy
git push --forceOverwrites remote history
git reset --hardDiscards uncommitted changes
git branch -DForce-deletes branches
git clean -fdDeletes untracked files
git checkout/restoreCan overwrite local changes

Enable in your config:

"additional_plugins": [
  "scc-safety-net@sandboxed-code-official"
]

Plugin Governance

Section titled “Plugin Governance”

What Gets Blocked

Section titled “What Gets Blocked”

Organization admins can block plugins by pattern:

{
  "security": {
    "blocked_plugins": [
      "*experimental*",
      "*beta*",
      "untrusted-*"
    ]
  }
}

Even if you add these to your team config, they will be filtered out.

What You Can Add

Section titled “What You Can Add”

Your additions must:

  1. Come from an approved marketplace
  2. Not match any blocked_plugins pattern
  3. Match allowed_plugins pattern (if org specifies one)

Allowing Developer Additions

Section titled “Allowing Developer Additions”

You can let developers add project-specific plugins by opening two gates:

  1. Allow their team in delegation.teams.allow_additional_plugins
  2. If defaults.allowed_plugins is set, the plugin name must match one of those patterns
{
  "defaults": {
    "allowed_plugins": ["team-*", "project-*"]
  },
  "delegation": {
    "teams": {
      "allow_additional_plugins": ["backend", "frontend"]
    },
    "projects": {
      "inherit_team_delegation": true
    }
  }
}

Teams still need profiles.<team>.delegation.allow_project_overrides: true for .scc.yaml additions.

Restrictive Approach

Section titled “Restrictive Approach”
{
  "delegation": {
    "teams": {
      "allow_additional_plugins": []
    }
  }
}

Developers cannot add any plugins beyond team defaults.

Permissive Approach

Section titled “Permissive Approach”
{
  "defaults": {
    "allowed_plugins": ["*"]
  },
  "delegation": {
    "teams": {
      "allow_additional_plugins": ["*"]
    }
  }
}

Developers can add any non-blocked plugin from approved marketplaces.

Auditing Plugins

Section titled “Auditing Plugins”

See what plugins are currently installed:

Terminal window
scc audit plugins

Output:

Team: backend
Effective plugins:
  ✓ scc-safety-net@sandboxed-code-official (from: team)
  ✓ java-analyzer@internal (from: team)
  ✓ project-linter@internal (from: project/.scc.yaml)


Blocked plugins (attempted but filtered):
  ✗ experimental-tool@internal (matches: *experimental*)

Troubleshooting

Section titled “Troubleshooting”

Plugin not appearing

Section titled “Plugin not appearing”

  1. Check the plugin is actually present in the effective config

    Terminal window
    scc config explain --field plugins

  2. Check for delegation/allowlist denials

    Terminal window
    scc config explain --field denied

  3. Check for security blocks

    Terminal window
    scc config explain --field blocked

  4. Check spelling of plugin and marketplace names

  5. Force refresh config

    Terminal window
    scc update --force

Plugin blocked unexpectedly

Section titled “Plugin blocked unexpectedly”

The plugin matches a blocked_plugins pattern. Contact your org admin if you believe this is incorrect.

Different plugins on different machines

Section titled “Different plugins on different machines”

Ensure everyone has the latest config:

Terminal window
scc update

Check effective config:

Terminal window
scc config explain --field plugins