AI code assistants silently transmit source code to external servers with every suggestion. Block Copilot, Cursor, Tabnine, and 40+ others at the network, endpoint, and IDE layers using our 16,024+ classified AI-tool domains.
Every AI code assistant shares the same architecture: capture code from the IDE, transmit it to an external server, return a suggestion. The developer sees helpful autocomplete — but never sees the network request carrying proprietary source code to a third-party vendor.
The scale of data transmission is far larger than most engineering leaders realize. An active developer transmits the equivalent of their entire codebase within a normal work week.
| Tool | Data Transmitted | Scope |
|---|---|---|
| GitHub Copilot | Full active file, snippets from open tabs, file paths, import statements | Active file + neighboring context |
| Cursor | Entire repository indexed locally; selected chunks sent for RAG-based generation | Full repository |
| Tabnine (Cloud) | Function signatures, docstrings, surrounding implementation code | Active file + function context |
| Amazon Q Developer | Code context transmitted to AWS-hosted inference endpoints | Active file context |
| Cody (Sourcegraph) | Codebase-aware context via Sourcegraph indexing infrastructure | Repository-wide |
Code assistant vendors' terms of service frequently reserve the right to use submitted code for model training, evaluation, or service improvement. Your proprietary algorithms could surface in completions served to competitors.
Even vendors offering opt-out mechanisms require trusting a contractual assurance — not a technical guarantee. Opt-out configurations are frequently lost during IDE updates, plugin reinstalls, or environment reprovisioning.
The only reliable way to prevent source code exfiltration is to block at the network layer, enforce IDE policies at the endpoint, and monitor for violations continuously.
Code assistants send entire active files to inference servers, not just the current line. A single autocomplete request can transmit hundreds of lines of proprietary business logic, cryptographic implementations, or database schemas to external servers.
Vendor terms often permit using submitted code for model training. Your proprietary algorithms and architectural patterns could surface in completions served to other users, including competitors, without your knowledge or consent.
Developers install code assistant extensions without IT approval. VS Code, JetBrains, and Neovim marketplaces make installation a single click. No elevated privileges required. No software deployment tool involved. No visibility for security teams.
Network-layer blocking is the most effective single control because it operates independently of the endpoint, IDE, and developer configuration. Even if a developer installs a plugin with a personal API key, it cannot function if inference endpoints are unreachable.
Each code assistant relies on well-defined domains. The AI Tools Blocklist catalogs all of these — plus dozens of smaller tools — updated daily.
| Tool | Primary Domains |
|---|---|
| GitHub Copilot | copilot-proxy.githubusercontent.com, api.githubcopilot.com, related GitHub API endpoints |
| Cursor | api2.cursor.sh and associated inference domains |
| Tabnine | api.tabnine.com and cloud model endpoints |
| Cody (Sourcegraph) | sourcegraph.com, cody-gateway.sourcegraph.com |
| Amazon Q Developer | codewhisperer.us-east-1.amazonaws.com and related service domains |
The following RPZ configuration works with BIND, Unbound, Windows DNS, or cloud DNS services like Cisco Umbrella and Infoblox BloxOne. It sinkhole-resolves these domains to cause silent plugin failure without disrupting other IDE functionality.
CNAME . is the RPZ convention for NXDOMAIN response — the resolver returns a non-existent domain, causing the API request to fail immediately. This is faster than sinkholing to 0.0.0.0 and avoids triggering local firewall logs.
Unbound: Use local-zone directives with always_nxdomain. Windows DNS: Create static A records pointing to a dead IP in a dedicated zone.
Manual DNS blocklists are hard to maintain — new AI code assistants launch weekly and existing ones rebrand (Codeium → Windsurf, CodeWhisperer → Amazon Q). The AI Tools Blocklist's daily updates from scanning 102 million domains eliminate this burden automatically.
DNS sinkholing blocks most traffic, but determined developers can bypass it with personal DNS resolvers or DNS-over-HTTPS. Defense in depth requires complementary proxy and firewall controls.
Network blocking stops code assistants from reaching inference servers, but doesn't prevent plugin installation. Developers who see failed suggestions may seek workarounds — personal hotspots, VPN split tunneling, or alternative tools.
Endpoint controls address this by preventing plugin installation, disabling telemetry, and locking down IDE configurations through managed policies.
github.copilot.enable block handles cases where the extension is already installed.editor.inlineSuggest.enabled: false blocks all AI providers: Copilot, Tabnine, Cody, Windsurf, and Supermaven.extensions.allowed block prevents installing new code assistants without IT approval.idea.plugins.blocked prevents specific plugins from loading even if installed. Set idea.allow.third.party.plugins=false for maximum restriction.VS Code supports managed settings via JSON configuration files deployed through MDM, GPO, or tools like Ansible, Puppet, or Chef. The following configuration covers all layers.
Deploy IDE settings enforcement across your fleet using platform-appropriate tools. Block standalone AI editor installations (Cursor, Windsurf) alongside IDE plugin restrictions.
Create a GPO that copies managed settings.json to each workstation, sets it read-only, and applies a registry key preventing VS Code overrides. Add software restriction policies to block Cursor and Windsurf executables.
Deploy settings via Jamf, Kandji, or Mosyle configuration profiles. Use restricted software policies to block Cursor.app, Windsurf.app, and other standalone AI code editors.
Deploy settings.json as a template and set the immutable flag with chattr +i to prevent local modification. Manage via Ansible playbooks or Salt states.
Rather than trying to block every AI code assistant individually, restrict extension installation to an approved allowlist. This inverts the problem: instead of chasing new AI tools as they launch, you maintain a curated list of permitted extensions. Any extension not on the list is blocked by default.
Some code assistants operate as CLI tools or terminal integrations rather than IDE plugins — tools like aider, Claude Code, and OpenAI Codex CLI. These bypass IDE-level controls entirely and must be blocked at the network layer or through application control policies that prevent their binary execution.
Each code assistant has a distinct telemetry profile. Understanding these data flows helps security teams decide which tools to block outright, which to permit with controls, and which represent acceptable risk.
| Tool | Primary Channel | Secondary Channel | Trigger |
|---|---|---|---|
| GitHub Copilot | Active file contents, neighboring snippets, cursor position sent to inference servers | Suggestion accept/reject events, editor state, usage metrics | Every keystroke |
| Cursor | Entire repo indexed locally; selected chunks sent via RAG. Files never opened may be transmitted. | Session metadata, query patterns | On query + background indexing |
| Tabnine (Cloud) | Function signatures, docstrings, surrounding implementation code | Usage analytics, model feedback | Every keystroke |
| Amazon Q Developer | Code context to AWS-hosted inference endpoints | Service telemetry to AWS | On suggestion request |
Even when suggestions are disabled, the primary channel may still transmit code context. The telemetry channel reveals development patterns, working hours, and tech stack composition regardless of suggestion acceptance.
Copilot and Tabnine transmit code context on every keystroke. A single hour of active development generates hundreds of API requests, each carrying lines of proprietary source code.
Cursor and Cody index entire repositories to provide context-aware suggestions. Files never opened by the developer may still be transmitted to inference servers as retrieval context.
Even with code suggestions disabled, most assistants still collect usage telemetry: editor events, language distributions, session lengths, and feature usage patterns that reveal development activity.
Some code assistants cache submitted code snippets server-side for quality improvement and debugging. Even after you stop using the tool, your code may persist on vendor infrastructure indefinitely.
Before implementing blocks, capture baseline traffic from each code assistant. Each tool contacts between 5 and 15 distinct domains during a typical session.
The AI Tools Blocklist's curated domain sets include all known associated domains for each code assistant — not just the primary API endpoint.
Tabnine offers an on-premises model that keeps code context within your infrastructure. However, even the self-hosted version communicates with Tabnine's licensing and update servers.
Network monitoring is still necessary to verify code data stays local. The AI Tools Blocklist distinguishes between cloud-only and hybrid-deployment assistants to help teams evaluate controlled deployment vs. outright blocking.
Network and endpoint controls block real-time code assistant usage. But a comprehensive strategy must also address the source control and CI/CD layers where AI-generated code traces may persist.
Detect and flag potential AI-generated code using heuristics: verbose comments explaining obvious operations, style inconsistencies within a single commit, and patterns generated by specific models. Serves as monitoring, not a hard block — flags for human review to avoid disrupting velocity.
Disable code assistant integrations at the platform level. Copilot's "repository context" feature can pull code from private repos the developer has access to — even repos they're not actively working on. Block third-party OAuth app access to prevent this.
The pre-commit hook below scans staged files for AI code assistant indicators. Install it to .git/hooks/pre-commit.
.vscode/extensions.json are hard-blocked (exit 1) since they spread tool adoption across teams..cursor/ directories and .cursorignore files are hard-blocked to prevent Cursor project configs in shared repos.The hook uses a warning/blocking split: workspace configs promoting AI tools are hard-blocked (exit 1), while potential AI code patterns generate warnings (exit 0) to avoid unsustainable false-positive rates.
Major SCM platforms offer organization-level settings to control code assistant access. Configure these alongside pre-commit hooks for defense in depth.
| Platform | Setting | Effect |
|---|---|---|
| GitHub Enterprise | Organization Settings > Copilot | Disable Copilot org-wide, regardless of personal subscriptions |
| Organization Settings > Third-party access | Restrict OAuth app access to prevent code assistant authentication | |
| Organization Settings > Actions | Restrict allowed Actions — some AI tools run as Actions accessing repo contents | |
| GitLab | Admin Area > Settings > Visibility & access controls | Restrict PAT scopes and block third-party API access to repo data |
| Bitbucket | Workspace-level application access settings | Control which apps can access workspace repos. Self-hosted offers granular OAuth app ID blocking. |
No blocking strategy is 100% effective. Developers report 25–55% productivity gains from AI assistants — motivation is high. Assume some will find workarounds: personal hotspots, home VPNs, or browser-based tools on personal devices.
~/.vscode/logs/ for AI tool installation events.cursor, windsurf, codeium_language_server, tabnine-binary, copilot-agent.Monitor for blocked DNS queries to code assistant domains — these indicate attempted usage. Track blocked proxy connections and firewall denies. Alert on new, previously-unseen code assistant domains from the daily blocklist updates. Correlate with user identity for targeted enforcement conversations.
Detect code assistant process execution via EDR. Monitor VS Code extension directory for AI tool installations. Track IDE configuration file changes that re-enable blocked features. Alert on standalone code editor installations (Cursor, Windsurf, Replit Desktop).
Track these metrics monthly to demonstrate program effectiveness and justify continued investment. Present alongside developer productivity metrics to address the pushback that blocking reduces velocity.
Number of blocked connection attempts. Trending down indicates policy adoption.
Count of unique devs attempting blocked tools. Identifies teams needing communication.
New code assistant domains in the blocklist. Demonstrates evolving threat landscape.
Policy violations detected and resolved. Measures enforcement effectiveness.
Organizations that block external code assistants while deploying approved, internally-hosted alternatives — like self-hosted Tabnine or a private open-source model — can protect IP without sacrificing productivity. See our AI acceptable use policy guide for frameworks defining which assistants are approved under what conditions.
Download a free sample including all code assistant domains. Request an enterprise trial for the full 16,024+ domain feed with daily updates and category-level filtering.
Tell us about your development environment and code protection requirements — we will help you implement a comprehensive blocking strategy.