Skip to content

Approved Development Tools and Plugin Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to tooling categories or customer contractual restrictions

Purpose

This policy defines requirements for integrated development environments, editors, command-line tooling, plugins, extensions, and related integrations used for customer work.

Scope

This policy applies to IDEs, code editors, CLI development tools, browser extensions used in development workflows, IDE plugins, AI-assisted coding tools where permitted, and repository integrations used on customer engagements.

Policy

Personnel use professional tools suited to the engagement. Tools are kept on supported versions, configured to protect customer intellectual property, and must not exfiltrate customer code, credentials, regulated data, or confidential information to unauthorized services.

Where a product supports disabling or limiting telemetry, personnel configure it in line with customer and company requirements. Plugins and extensions are limited to those required for engineering, testing, security scanning, cloud operations, or justified productivity, sourced from trusted distribution channels, and maintained current.

Repository and account isolation

IDEs and local tooling connect only to repositories and accounts authorized for the active engagement. Customer work is segregated using GitHub organization boundaries and GitLab group, project, and repository boundaries. Access from one customer engagement is not reused for another without explicit authorization.

Enforcement

Controls combine documented onboarding standards, repository and identity access provisioning, peer review, periodic access review, and management oversight. Customer-specific tool restrictions in contract or security addenda take precedence.

Records

Typical evidence includes onboarding checklists, repository membership, access reviews, and where required, screenshots or configuration exports for telemetry and extension posture.