AI Tools Blocklist
Home AI Tools Database Taxonomy Pricing
Solutions
Enterprise IT & CISO Education Firewall Admins Shadow AI Prevention
Integrations
Palo Alto Networks FortiGate Cisco Umbrella pfSense REST API
Download Free Sample
AI Code Assistant Blocking

Block AI Code Assistants
to Protect Proprietary Source Code

AI code assistants silently transmit source code to external servers with every suggestion. Block Copilot, Cursor, Tabnine, and 40+ others at the network, endpoint, and IDE layers using our 16,024+ classified AI-tool domains.

16,024+AI Domains Classified
40+Code Assistant Domains
18Functional Categories
Download Free Sample View Pricing
The Code Exfiltration Risk

Why AI Code Assistants Are a Source Code Exfiltration Vector

Every AI code assistant shares the same architecture: capture code from the IDE, transmit it to an external server, return a suggestion. The developer sees helpful autocomplete — but never sees the network request carrying proprietary source code to a third-party vendor.

How Code Exfiltration Works

1
IDE Plugin Captures Context — The plugin reads the active file contents, cursor position, open tabs, file paths, and import statements.
2
Context Transmitted Over HTTPS — The captured code is sent to a remote inference server as part of the completion prompt. Often entire files or hundreds of surrounding lines.
3
LLM Generates Completion — The vendor's model processes your proprietary code and returns a suggestion displayed inline in the IDE.
4
Code Retained Server-Side — Vendors may cache, log, or use submitted code for model training, evaluation, or service improvement per their ToS.

What Each Tool Transmits

The scale of data transmission is far larger than most engineering leaders realize. An active developer transmits the equivalent of their entire codebase within a normal work week.

Tool Data Transmitted Scope
GitHub Copilot Full active file, snippets from open tabs, file paths, import statements Active file + neighboring context
Cursor Entire repository indexed locally; selected chunks sent for RAG-based generation Full repository
Tabnine (Cloud) Function signatures, docstrings, surrounding implementation code Active file + function context
Amazon Q Developer Code context transmitted to AWS-hosted inference endpoints Active file context
Cody (Sourcegraph) Codebase-aware context via Sourcegraph indexing infrastructure Repository-wide

Vendor Terms & Training Data Risk

Code assistant vendors' terms of service frequently reserve the right to use submitted code for model training, evaluation, or service improvement. Your proprietary algorithms could surface in completions served to competitors.

Even vendors offering opt-out mechanisms require trusting a contractual assurance — not a technical guarantee. Opt-out configurations are frequently lost during IDE updates, plugin reinstalls, or environment reprovisioning.

The only reliable way to prevent source code exfiltration is to block at the network layer, enforce IDE policies at the endpoint, and monitor for violations continuously.

Full-File Transmission

Code assistants send entire active files to inference servers, not just the current line. A single autocomplete request can transmit hundreds of lines of proprietary business logic, cryptographic implementations, or database schemas to external servers.

Training Data Risks

Vendor terms often permit using submitted code for model training. Your proprietary algorithms and architectural patterns could surface in completions served to other users, including competitors, without your knowledge or consent.

Silent Installation

Developers install code assistant extensions without IT approval. VS Code, JetBrains, and Neovim marketplaces make installation a single click. No elevated privileges required. No software deployment tool involved. No visibility for security teams.

Network-Layer Blocking

Block AI Code Assistant Domains at the Network Layer

Network-layer blocking is the most effective single control because it operates independently of the endpoint, IDE, and developer configuration. Even if a developer installs a plugin with a personal API key, it cannot function if inference endpoints are unreachable.

Key Domains by Code Assistant

Each code assistant relies on well-defined domains. The AI Tools Blocklist catalogs all of these — plus dozens of smaller tools — updated daily.

Tool Primary Domains
GitHub Copilot copilot-proxy.githubusercontent.com, api.githubcopilot.com, related GitHub API endpoints
Cursor api2.cursor.sh and associated inference domains
Tabnine api.tabnine.com and cloud model endpoints
Cody (Sourcegraph) sourcegraph.com, cody-gateway.sourcegraph.com
Amazon Q Developer codewhisperer.us-east-1.amazonaws.com and related service domains

DNS Sinkhole Configuration

The following RPZ configuration works with BIND, Unbound, Windows DNS, or cloud DNS services like Cisco Umbrella and Infoblox BloxOne. It sinkhole-resolves these domains to cause silent plugin failure without disrupting other IDE functionality.

# ─── DNS Sinkhole Configuration for AI Code Assistants ───
# BIND / named response-policy zone (RPZ) entries
# Add to your RPZ zone file and reload named

# ── GitHub Copilot ──
copilot-proxy.githubusercontent.com    CNAME .
api.githubcopilot.com                  CNAME .
copilot.githubusercontent.com          CNAME .
default.exp-tas.com                    CNAME .
copilot-telemetry.githubusercontent.com CNAME .
*.ghcopilot.com                        CNAME .

# ── Cursor AI ──
api2.cursor.sh                         CNAME .
cursor.sh                             CNAME .
*.cursor.sh                            CNAME .
app.cursor.sh                          CNAME .

# ── Tabnine ──
api.tabnine.com                        CNAME .
update.tabnine.com                     CNAME .
*.tabnine.com                          CNAME .

# ── Sourcegraph Cody ──
sourcegraph.com                        CNAME .
*.sourcegraph.com                      CNAME .
cody-gateway.sourcegraph.com           CNAME .

# ── Amazon Q Developer (formerly CodeWhisperer) ──
codewhisperer.us-east-1.amazonaws.com  CNAME .
q.us-east-1.amazonaws.com             CNAME .
codewhisperer-fre.us-east-1.amazonaws.com CNAME .

# ── Replit AI ──
replit.com                             CNAME .
*.replit.com                           CNAME .
*.repl.co                              CNAME .

# ── Windsurf (Codeium) ──
server.codeium.com                     CNAME .
*.codeium.com                          CNAME .
api.codeium.com                        CNAME .
windsurf.com                           CNAME .
*.windsurf.com                         CNAME .

# ── Supermaven ──
supermaven.com                         CNAME .
*.supermaven.com                       CNAME .

# ── Continue.dev ──
*.continue.dev                         CNAME .

# ── JetBrains AI Assistant ──
ai.jetbrains.com                       CNAME .
grazie.ai                              CNAME .
*.grazie.ai                            CNAME .

# NOTE: Import the full AI Code Assistants category from the
# AI Tools Blocklist for comprehensive coverage of 40+ tools.
# Manual lists like this one miss new entrants and domain changes.

CNAME-to-Root-Dot Syntax

CNAME . is the RPZ convention for NXDOMAIN response — the resolver returns a non-existent domain, causing the API request to fail immediately. This is faster than sinkholing to 0.0.0.0 and avoids triggering local firewall logs.

Unbound: Use local-zone directives with always_nxdomain. Windows DNS: Create static A records pointing to a dead IP in a dedicated zone.

Manual DNS blocklists are hard to maintain — new AI code assistants launch weekly and existing ones rebrand (Codeium → Windsurf, CodeWhisperer → Amazon Q). The AI Tools Blocklist's daily updates from scanning 102 million domains eliminate this burden automatically.

Firewall and Proxy-Layer Enforcement

DNS sinkholing blocks most traffic, but determined developers can bypass it with personal DNS resolvers or DNS-over-HTTPS. Defense in depth requires complementary proxy and firewall controls.

Zscaler — Add domains to a custom URL category under Administration > URL Categories and associate with a blocking rule. Zscaler integration guide.
Palo Alto Networks — Create a custom URL category with all code assistant domains and reference it in a security policy rule with a deny action. Palo Alto integration guide.
Netskope / Prisma Access — Import the Code Assistants category as a URL filtering rule and apply a block action directly.
Traditional firewalls & proxies — Configure explicit deny rules for the same domain set from the AI Tools Blocklist feed.
Endpoint Controls

IDE Policy Enforcement and Endpoint-Level Blocking

Network blocking stops code assistants from reaching inference servers, but doesn't prevent plugin installation. Developers who see failed suggestions may seek workarounds — personal hotspots, VPN split tunneling, or alternative tools.

Endpoint controls address this by preventing plugin installation, disabling telemetry, and locking down IDE configurations through managed policies.

Key Endpoint Controls

Disable Copilot for all file types — The github.copilot.enable block handles cases where the extension is already installed.
Kill inline suggestions globallyeditor.inlineSuggest.enabled: false blocks all AI providers: Copilot, Tabnine, Cody, Windsurf, and Supermaven.
Restrict extensions to approved publishers — The extensions.allowed block prevents installing new code assistants without IT approval.
Disable all telemetry — Turn off crash reporting, usage metrics, and diagnostic data collection.
Block JetBrains AI pluginsidea.plugins.blocked prevents specific plugins from loading even if installed. Set idea.allow.third.party.plugins=false for maximum restriction.

VS Code supports managed settings via JSON configuration files deployed through MDM, GPO, or tools like Ansible, Puppet, or Chef. The following configuration covers all layers.

// ─── VS Code Managed Settings (settings.json via MDM/GPO) ───
// Deploy to: %APPDATA%\Code\User\settings.json (Windows)
//            ~/.config/Code/User/settings.json (Linux)
//            ~/Library/Application Support/Code/User/settings.json (macOS)
{
  // Disable GitHub Copilot entirely
  "github.copilot.enable": {
    "*": false,
    "plaintext": false,
    "markdown": false,
    "scminput": false
  },
  "github.copilot.advanced": {
    "debug.useNodeFetcher": true,
    "debug.useElectronFetcher": true
  },

  // Block all AI-related extensions by publisher ID
  "extensions.autoUpdate": false,
  "extensions.ignoreRecommendations": true,

  // Disable telemetry and data collection
  "telemetry.telemetryLevel": "off",
  "telemetry.enableTelemetry": false,
  "telemetry.enableCrashReporter": false,

  // Disable inline completions (blocks all AI suggestion providers)
  "editor.inlineSuggest.enabled": false,

  // Restrict extension installs to approved publishers only
  "extensions.allowed": {
    "microsoft": true,
    "redhat": true,
    "esbenp": true,
    "dbaeumer": true,
    "GitHub": "exclude:copilot*"
  }
}

// ─── JetBrains IDE managed properties (idea.properties) ───
// Deploy to: <IDE_HOME>/bin/idea.properties
// Disables AI Assistant and third-party AI plugin loading
idea.plugins.blocked=com.github.copilot,\
  com.tabnine.TabNine,\
  com.sourcegraph.cody,\
  com.codeium.codeium,\
  com.supermaven.supermaven,\
  com.jetbrains.ai.assistant

idea.suppress.statistics=true
idea.allow.third.party.plugins=false

Group Policy Deployment by Platform

Deploy IDE settings enforcement across your fleet using platform-appropriate tools. Block standalone AI editor installations (Cursor, Windsurf) alongside IDE plugin restrictions.

Windows GPO

Create a GPO that copies managed settings.json to each workstation, sets it read-only, and applies a registry key preventing VS Code overrides. Add software restriction policies to block Cursor and Windsurf executables.

macOS MDM

Deploy settings via Jamf, Kandji, or Mosyle configuration profiles. Use restricted software policies to block Cursor.app, Windsurf.app, and other standalone AI code editors.

Linux (Ansible/Salt)

Deploy settings.json as a template and set the immutable flag with chattr +i to prevent local modification. Manage via Ansible playbooks or Salt states.

Extension Allowlisting

Rather than trying to block every AI code assistant individually, restrict extension installation to an approved allowlist. This inverts the problem: instead of chasing new AI tools as they launch, you maintain a curated list of permitted extensions. Any extension not on the list is blocked by default.

CLI-Based Code Assistants

Some code assistants operate as CLI tools or terminal integrations rather than IDE plugins — tools like aider, Claude Code, and OpenAI Codex CLI. These bypass IDE-level controls entirely and must be blocked at the network layer or through application control policies that prevent their binary execution.

Telemetry Analysis

Understanding Code Assistant Telemetry and Data Flows

Each code assistant has a distinct telemetry profile. Understanding these data flows helps security teams decide which tools to block outright, which to permit with controls, and which represent acceptable risk.

Data Flow Comparison

Tool Primary Channel Secondary Channel Trigger
GitHub Copilot Active file contents, neighboring snippets, cursor position sent to inference servers Suggestion accept/reject events, editor state, usage metrics Every keystroke
Cursor Entire repo indexed locally; selected chunks sent via RAG. Files never opened may be transmitted. Session metadata, query patterns On query + background indexing
Tabnine (Cloud) Function signatures, docstrings, surrounding implementation code Usage analytics, model feedback Every keystroke
Amazon Q Developer Code context to AWS-hosted inference endpoints Service telemetry to AWS On suggestion request

Even when suggestions are disabled, the primary channel may still transmit code context. The telemetry channel reveals development patterns, working hours, and tech stack composition regardless of suggestion acceptance.

Keystroke Triggers

Copilot and Tabnine transmit code context on every keystroke. A single hour of active development generates hundreds of API requests, each carrying lines of proprietary source code.

Repo-Wide Indexing

Cursor and Cody index entire repositories to provide context-aware suggestions. Files never opened by the developer may still be transmitted to inference servers as retrieval context.

Usage Telemetry

Even with code suggestions disabled, most assistants still collect usage telemetry: editor events, language distributions, session lengths, and feature usage patterns that reveal development activity.

Snippet Caching

Some code assistants cache submitted code snippets server-side for quality improvement and debugging. Even after you stop using the tool, your code may persist on vendor infrastructure indefinitely.

Mapping Code Assistant Network Traffic

Before implementing blocks, capture baseline traffic from each code assistant. Each tool contacts between 5 and 15 distinct domains during a typical session.

1
Install in isolation — Set up each code assistant in an isolated test environment with full network capture enabled.
2
Perform typical dev work for 30 minutes — Trigger completions, chat queries, and code navigation to exercise all communication paths.
3
Capture all DNS queries & HTTPS connections — This reveals inference endpoints, telemetry domains, update checks, auth endpoints, and CDN domains.
4
Block all associated domains — Blocking only the primary inference endpoint is insufficient. Telemetry endpoints alone reveal what files are being edited, languages in use, and coding activity.

The AI Tools Blocklist's curated domain sets include all known associated domains for each code assistant — not just the primary API endpoint.

Tabnine Self-Hosted Option

Tabnine offers an on-premises model that keeps code context within your infrastructure. However, even the self-hosted version communicates with Tabnine's licensing and update servers.

Network monitoring is still necessary to verify code data stays local. The AI Tools Blocklist distinguishes between cloud-only and hybrid-deployment assistants to help teams evaluate controlled deployment vs. outright blocking.

SCM & Pipeline Security

Source Control and CI/CD Pipeline Protections

Network and endpoint controls block real-time code assistant usage. But a comprehensive strategy must also address the source control and CI/CD layers where AI-generated code traces may persist.

Two Layers of SCM Protection

Pre-Commit Hooks

Detect and flag potential AI-generated code using heuristics: verbose comments explaining obvious operations, style inconsistencies within a single commit, and patterns generated by specific models. Serves as monitoring, not a hard block — flags for human review to avoid disrupting velocity.

Organization-Level Controls

Disable code assistant integrations at the platform level. Copilot's "repository context" feature can pull code from private repos the developer has access to — even repos they're not actively working on. Block third-party OAuth app access to prevent this.

The pre-commit hook below scans staged files for AI code assistant indicators. Install it to .git/hooks/pre-commit.

#!/usr/bin/env bash
# ─── Pre-commit hook: AI code assistant detection ───
# Install: cp this file to .git/hooks/pre-commit && chmod +x
# Scans staged files for indicators of AI code assistant usage

set -euo pipefail

WARNINGS=0
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)

for file in $STAGED_FILES; do
    # Skip binary files
    if file "$file" | grep -q "binary"; then
        continue
    fi

    # Check for Copilot metadata comments
    if grep -qiE "(generated by copilot|copilot suggestion|AI-generated|github copilot)" "$file"; then
        echo "[WARNING] Possible AI-generated code marker in: $file"
        WARNINGS=$(( WARNINGS + 1 ))
    fi

    # Check for Cursor-style comment patterns
    if grep -qiE "(cursor|codeium|tabnine|supermaven).*generat" "$file"; then
        echo "[WARNING] AI tool reference found in: $file"
        WARNINGS=$(( WARNINGS + 1 ))
    fi

    # Detect VS Code extension config files for AI tools
    if [[ "$file" == *".vscode/extensions.json" ]]; then
        if grep -qiE "(copilot|tabnine|codeium|supermaven|cody)" "$file"; then
            echo "[BLOCKED] AI code assistant in recommended extensions: $file"
            echo "  Remove AI assistant extensions from .vscode/extensions.json"
            exit 1
        fi
    fi

    # Check for .cursor directory (Cursor project config)
    if [[ "$file" == *".cursor/"* ]] || [[ "$file" == *".cursorignore" ]]; then
        echo "[BLOCKED] Cursor AI configuration file detected: $file"
        echo "  Remove Cursor config files before committing"
        exit 1
    fi
done

if [ "$WARNINGS" -gt 0 ]; then
    echo ""
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "  $WARNINGS potential AI-generated code warning(s)"
    echo "  Review flagged files before pushing to remote"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    # Exit 0 to allow commit with warnings (change to exit 1 to block)
    exit 0
fi

echo "[OK] No AI code assistant indicators detected"

What the Hook Checks

1
AI-generated code markers — Comments referencing Copilot, AI generation, or similar terms. Some devs add attribution; some orgs require it via AI use policy.
2
Tool-specific references — Comments mentioning Cursor, Codeium, Tabnine, or Supermaven in code files.
3
VS Code extension recommendations — AI assistant entries in .vscode/extensions.json are hard-blocked (exit 1) since they spread tool adoption across teams.
4
Cursor config files.cursor/ directories and .cursorignore files are hard-blocked to prevent Cursor project configs in shared repos.

The hook uses a warning/blocking split: workspace configs promoting AI tools are hard-blocked (exit 1), while potential AI code patterns generate warnings (exit 0) to avoid unsustainable false-positive rates.

GitHub Organization-Level Controls

Major SCM platforms offer organization-level settings to control code assistant access. Configure these alongside pre-commit hooks for defense in depth.

Platform Setting Effect
GitHub Enterprise Organization Settings > Copilot Disable Copilot org-wide, regardless of personal subscriptions
Organization Settings > Third-party access Restrict OAuth app access to prevent code assistant authentication
Organization Settings > Actions Restrict allowed Actions — some AI tools run as Actions accessing repo contents
GitLab Admin Area > Settings > Visibility & access controls Restrict PAT scopes and block third-party API access to repo data
Bitbucket Workspace-level application access settings Control which apps can access workspace repos. Self-hosted offers granular OAuth app ID blocking.
Continuous Monitoring

Detecting Code Assistant Usage Despite Blocking Controls

No blocking strategy is 100% effective. Developers report 25–55% productivity gains from AI assistants — motivation is high. Assume some will find workarounds: personal hotspots, home VPNs, or browser-based tools on personal devices.

Detection Signals to Monitor

Blocked DNS queries to code assistant domains — confirms controls work and identifies who's trying. Cross-reference with the shadow AI detection guide.
Denied proxy connections & firewall denies to AI code assistant domain categories from the daily blocklist.
VS Code extension log monitoring — Check ~/.vscode/logs/ for AI tool installation events.
EDR process detection — Alert on known binaries: cursor, windsurf, codeium_language_server, tabnine-binary, copilot-agent.
Standalone app installations — Monitor for Cursor, Windsurf, and Replit Desktop via CrowdStrike, SentinelOne, or Defender for Endpoint.

Network Monitoring Signals

Monitor for blocked DNS queries to code assistant domains — these indicate attempted usage. Track blocked proxy connections and firewall denies. Alert on new, previously-unseen code assistant domains from the daily blocklist updates. Correlate with user identity for targeted enforcement conversations.

Endpoint Monitoring Signals

Detect code assistant process execution via EDR. Monitor VS Code extension directory for AI tool installations. Track IDE configuration file changes that re-enable blocked features. Alert on standalone code editor installations (Cursor, Windsurf, Replit Desktop).

Building a Code Protection Metrics Dashboard

Track these metrics monthly to demonstrate program effectiveness and justify continued investment. Present alongside developer productivity metrics to address the pushback that blocking reduces velocity.

Blocked Attempts

Number of blocked connection attempts. Trending down indicates policy adoption.

Unique Developers

Count of unique devs attempting blocked tools. Identifies teams needing communication.

New Domains Added

New code assistant domains in the blocklist. Demonstrates evolving threat landscape.

Violations Remediated

Policy violations detected and resolved. Measures enforcement effectiveness.

Organizations that block external code assistants while deploying approved, internally-hosted alternatives — like self-hosted Tabnine or a private open-source model — can protect IP without sacrificing productivity. See our AI acceptable use policy guide for frameworks defining which assistants are approved under what conditions.

Protect Your Source Code from AI Exfiltration

Download a free sample including all code assistant domains. Request an enterprise trial for the full 16,024+ domain feed with daily updates and category-level filtering.

Request Code Assistant Blocking Support

Tell us about your development environment and code protection requirements — we will help you implement a comprehensive blocking strategy.