New Developer Onboarding Checklist

Confirm the start date, reporting manager, team (e.g., Platform, Frontend, Payments), and primary tech stack. This drives downstream provisioning — IDE licenses, repo access scopes, on-call rotation membership.

IT orders the standard MacBook Pro / ThinkPad bundle, dual monitor, dock, keyboard, mouse, and YubiKey. Order at least 5 business days ahead — same-day shipping is rare and a Day-1 engineer with no laptop wastes the first week.

Provision the user in your IdP (Okta, JumpCloud, Google Workspace) and assign to the appropriate group. SCIM provisioning then propagates to GitHub, Slack, Jira, AWS, Datadog, PagerDuty. Verify each downstream app actually received the user before Day 1.

Enroll in Jamf / Kandji / Intune so the device is managed (disk encryption, OS updates, remote wipe). Install 1Password or Vault for secrets, the SSO browser extension, and the company VPN client if applicable.

Register the hardware key as the primary MFA factor for Okta, GitHub, and AWS console. TOTP (Authy / 1Password) is the backup factor. SMS is not acceptable as a factor for any production system — SOC 2 auditors flag this.

Brief intros at the daily standup — name, role, what they'll be working on, one fun fact. The manager posts a longer welcome in #engineering with their Slack handle and team assignment.

Follow the README's bootstrap script (typically make setup or ./bin/setup). If the script breaks, that's a documentation bug — file an issue rather than working around it. New-engineer setup is the canonical test of whether your getting-started docs are current.

Install the team's standard IDE config (VS Code workspace settings, JetBrains shared config), language toolchain (asdf / nvm / pyenv / rbenv), and pre-commit hooks (gitleaks for secrets, prettier/eslint, language-specific formatters). Pre-commit hooks prevent the most common Day-1 mistake — committing a .env file.

Confirms the local environment is wired correctly — DB seeded, services reachable, env vars set. If tests fail locally but pass in CI, there's an environment drift to track down before the engineer's first PR.

Tech lead walks through the C4 / service-map diagram — services, databases, queues, third-party integrations. Name the SLOs for the critical services and where the dashboards live (Datadog, Grafana). Point at the on-call runbooks in Notion / Confluence.

Cover the team's PR template, branch naming, commit message style (Conventional Commits, if used), squash-vs-merge policy, and the 400-line PR size budget. Show CODEOWNERS routing so the new engineer knows whose review is required for which paths.

Two or three 90-minute pairing sessions in week 1 with senior engineers on different parts of the stack. Goal is exposure to the codebase, not output — rotate so the new engineer sees frontend, backend, and infra patterns.

Vanta / Drata / Secureframe will track the completion certificate as evidence for the SOC 2 access-onboarding control. Annual refresher is also tracked. Skipping this is one of the most common audit findings on engineering hires.

AppSec engineer covers SQL injection, XSS, IDOR, SSRF, and the team's specific patterns for parameterized queries, output encoding, and authz checks. Show how Semgrep / CodeQL findings show up in PR comments and the expected triage SLA.

Production console access is break-glass only — request through the JIT tool (Sym, ConductorOne, Teleport), document the reason, sessions are logged. Routine debugging goes through structured logs, APM, and runbook commands. Audit logs are reviewed monthly.

Most engineers don't touch regulated data and shouldn't be granted access. If the role does (working on the billing service or a HIPAA-covered feature), additional training and BAA acknowledgement are required before any access is provisioned.

End-to-end through CI, code review, and deploy to production. The starter ticket from week 1 should land in week 2. Confirms branch protection, required checks, and CODEOWNERS routing all work for the new engineer's account.

Read-only PagerDuty subscription on the team rotation for one week. Sit in on any incidents as observer — see how the IC runs the channel, how the runbook is used, how the post-incident review is scheduled. New engineers join the live rotation around day 60 once they've shadowed one full shift.