DeepScan Security

We understand your code is extremely important to you and your business. We are trying to be very protective of it and this page describes how we ensure your code is safe. If you have any questions, please contact us.

Last revised on Nov 21, 2017

Physical Security

Our systems are hosted in data centers managed by Amazon Web Services.

For more information see https://aws.amazon.com/security/.

System and Operational Security

  • Systems access logged and tracked for auditing purposes
  • Firewall to help block unauthorized system access

Communications

Connection with the DeepScan website is encrypted over HTTPS and all data is always transmitted over SSL. Source code is transmitted over HTTPS and DeepScan (as a static analysis tool) never executes the source code of users.

DeepScan never stores passwords for external applications like GitHub. Integration with external apps is done via OAuth.

File system

After an analysis, we store the latest user code on disk because:

  • To merge issues between current analysis and the last analysis

We are planning to improve this architecture not to require files. For example,

  • To merge issues via Git diff instead of file diff

As of database, we store only a gathered metrics from the code:

  • Grade, current merged issues for the project, detected issues for each analysis, issue statuses
  • An issue mainly includes impact, message, location, and code fragment

Repository cloning

Your repositories are cloned into our file system with a HTTPS connection.

Once the analysis is finished, the latest code only remains in the server as we described above. Other than that, we regularly delete our copies of stored code.

Encryption

Like GitHub.com, we do not encrypt repositories on disk because it would not increase security. The website would need to decrypt the repositories, slowing down operations and response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.

Deletion

Repository data (user code) is stored on the server until deleted by the user. You can delete your data at anytime by deleting the repository or by deleting the account itself.

When you delete your project or account, we immediately delete user code from the file system, data from a database, and a webhook we added to your GitHub repository.

Demo and editor plugins

Demo and current editor plugins (VS Code and Atom) work with our server.

We store the source content transmitted to the server as a temporary file, and the file is completely deleted right after the inspection. Unlike a normal analysis, we never preserve a file nor do we save a derivative result to the database.

We are also developing editor plugins and CLI that embed our analysis engine and require no code transmission.

Contact Us

Have a question or concern about DeepScan security? Please contact us.