New Developer Onboarding Checklist

Confirm the start date, reporting manager, team (e.g., Platform, Frontend, Payments), and primary tech stack. This drives downstream provisioning — IDE licenses, repo access scopes, on-call rotation membership.

IT orders the standard MacBook Pro / ThinkPad bundle, dual monitor, dock, keyboard, mouse, and YubiKey. Order at least 5 business days ahead — same-day shipping is rare and a Day-1 engineer with no laptop wastes the first week.

Provision the user in your IdP (Okta, JumpCloud, Google Workspace) and assign to the appropriate group. SCIM provisioning then propagates to GitHub, Slack, Jira, AWS, Datadog, PagerDuty. Verify each downstream app actually received the user before Day 1.

Invite to the GitHub org with the least-privilege role (typically Member, not Owner). Add to the team(s) referenced in CODEOWNERS for the services they will work on. Confirm 2FA is enforced at the org level.

Enroll in Jamf / Kandji / Intune so the device is managed (disk encryption, OS updates, remote wipe). Install 1Password or Vault for secrets, the SSO browser extension, and the company VPN client if applicable.

Register the hardware key as the primary MFA factor for Okta, GitHub, and AWS console. TOTP (Authy / 1Password) is the backup factor. SMS is not acceptable as a factor for any production system — SOC 2 auditors flag this.

Brief intros at the daily standup — name, role, what they'll be working on, one fun fact. The manager posts a longer welcome in #engineering with their Slack handle and team assignment.

Pick a peer (not the manager) on the same team who can answer the small questions: how do I get the staging DB password, who owns the deploy pipeline, what's the unwritten rule about Friday deploys. Schedule a recurring 30-min 1:1 for the first month.

Follow the README's bootstrap script (typically make setup or ./bin/setup). If the script breaks, that's a documentation bug — file an issue rather than working around it. New-engineer setup is the canonical test of whether your getting-started docs are current.

Install the team's standard IDE config (VS Code workspace settings, JetBrains shared config), language toolchain (asdf / nvm / pyenv / rbenv), and pre-commit hooks (gitleaks for secrets, prettier/eslint, language-specific formatters). Pre-commit hooks prevent the most common Day-1 mistake — committing a .env file.

Confirms the local environment is wired correctly — DB seeded, services reachable, env vars set. If tests fail locally but pass in CI, there's an environment drift to track down before the engineer's first PR.

Local-setup failures usually trace to missing env vars, a Docker version mismatch, or an ARM-vs-x86 native dependency. The buddy walks through the failing test, fixes the gap, and updates the README so the next hire doesn't hit the same wall.

Tech lead walks through the C4 / service-map diagram — services, databases, queues, third-party integrations. Name the SLOs for the critical services and where the dashboards live (Datadog, Grafana). Point at the on-call runbooks in Notion / Confluence.

Cover the team's PR template, branch naming, commit message style (Conventional Commits, if used), squash-vs-merge policy, and the 400-line PR size budget. Show CODEOWNERS routing so the new engineer knows whose review is required for which paths.

Two or three 90-minute pairing sessions in week 1 with senior engineers on different parts of the stack. Goal is exposure to the codebase, not output — rotate so the new engineer sees frontend, backend, and infra patterns.

Maintain a labeled backlog of small, well-scoped first tickets (typo fixes, small refactors, adding a missing test). The engineer ships their first PR end-to-end through CI, review, and deploy in week 1 — builds confidence with the pipeline before tackling real feature work.

Vanta / Drata / Secureframe will track the completion certificate as evidence for the SOC 2 access-onboarding control. Annual refresher is also tracked. Skipping this is one of the most common audit findings on engineering hires.

AppSec engineer covers SQL injection, XSS, IDOR, SSRF, and the team's specific patterns for parameterized queries, output encoding, and authz checks. Show how Semgrep / CodeQL findings show up in PR comments and the expected triage SLA.

Production console access is break-glass only — request through the JIT tool (Sym, ConductorOne, Teleport), document the reason, sessions are logged. Routine debugging goes through structured logs, APM, and runbook commands. Audit logs are reviewed monthly.

Most engineers don't touch regulated data and shouldn't be granted access. If the role does (working on the billing service or a HIPAA-covered feature), additional training and BAA acknowledgement are required before any access is provisioned.

Required only if the engineer's scope includes regulated data. HIPAA training covers minimum-necessary access and the BAA chain; PCI training covers SAQ scope, cardholder data handling, and the quarterly ASV scan process. File the completion certificate with the GRC team.

End-to-end through CI, code review, and deploy to production. The starter ticket from week 1 should land in week 2. Confirms branch protection, required checks, and CODEOWNERS routing all work for the new engineer's account.

Read-only PagerDuty subscription on the team rotation for one week. Sit in on any incidents as observer — see how the IC runs the channel, how the runbook is used, how the post-incident review is scheduled. New engineers join the live rotation around day 60 once they've shadowed one full shift.

Manager + new engineer review what worked, what was confusing, what's still blocked. Capture documentation gaps as tickets — the new hire has the freshest eyes on which docs are stale or missing. Adjust this checklist for the next hire based on what surfaced.