We understand your code is extremely important to you and your business. We are trying to be very protective of it and this page describes how we ensure your code is safe. If you have any questions, please contact us.
Last revised on Nov 21, 2017
Our systems are hosted in data centers managed by Amazon Web Services.
For more information see https://aws.amazon.com/security/.
System and Operational Security
- Systems access logged and tracked for auditing purposes
- Firewall to help block unauthorized system access
Connection with the DeepScan website is encrypted over HTTPS and all data is always transmitted over SSL. Source code is transmitted over HTTPS and DeepScan (as a static analysis tool) never executes the source code of users.
DeepScan never stores passwords for external applications like GitHub. Integration with external apps is done via OAuth.
After an analysis, we store the latest user code on disk because:
- To merge issues between current analysis and the last analysis
We are planning to improve this architecture not to require files. For example,
- To merge issues via Git diff instead of file diff
As of database, we store only a gathered metrics from the code:
- Grade, current merged issues for the project, detected issues for each analysis, issue statuses
- An issue mainly includes impact, message, location, and code fragment
Your repositories are cloned into our file system with a HTTPS connection.
Once the analysis is finished, the latest code only remains in the server as we described above. Other than that, we regularly delete our copies of stored code.
Like GitHub.com, we do not encrypt repositories on disk because it would not increase security. The website would need to decrypt the repositories, slowing down operations and response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.
Repository data (user code) is stored on the server until deleted by the user. You can delete your data at anytime by deleting the repository or by deleting the account itself.
When you delete your project or account, we immediately delete user code from the file system, data from a database, and a webhook we added to your GitHub repository.
Demo and editor plugins
Demo and current editor plugins (VS Code and Atom) work with our server.
We store the source content transmitted to the server as a temporary file, and the file is completely deleted right after the inspection. Unlike a normal analysis, we never preserve a file nor do we save a derivative result to the database.
We are also developing editor plugins and CLI that embed our analysis engine and require no code transmission.
Have a question or concern about DeepScan security? Please contact us.