Skip to main content
Requires Enterprise plan. Currently in early access behind a feature flag.
Prevent specific binaries from executing inside environments. Useful when:
  • Blocking known-risky or unauthorized tools in sensitive environments
  • Enforcing software supply chain policies

Configuration

  1. Go to Settings → Organization → Policies
  2. Toggle Enable Executable Deny List
  3. Enter executable paths, one per line (maximum 20 entries)
  4. Click Save Changes
Paths should be absolute (e.g., /usr/bin/example).

Preview before saving

Test your deny list against a running environment before committing the policy org-wide:
  1. Enter executables in the textarea (saving is not required)
  2. Click the Preview in… dropdown and select a running environment
  3. The config is applied immediately to that environment only
  4. Open the environment to verify the expected binaries are blocked
  5. Modify the list and re-apply as needed — a warning indicator appears when the textarea changes after a preview
Preview applies the deny list to a single environment only. It does not affect the saved organization policy or other environments.

Effect on environments

  • New environments receive the deny list on creation
  • Restarted environments receive the latest deny list on start
  • Already-running environments are not affected by org policy changes — they keep the deny list they received at start time

Limitations

  • Maximum 20 entries per deny list
  • Blocking a script interpreter (e.g., /bin/bash) blocks all scripts that use it, not individual scripts