Code Climate Security
We understand that security is critical, and we follow best practices and strict procedures to keep our systems, and your data, safe. We work with respected security firms, like NCCGroup, to perform regular penetration testing and audits of Code Climate and its infrastructure.
Source Code Protection
All access to source code repositories is performed using encrypted connections, either via SSH or TLS. Depending on the version control system, access to private repositories is obtained via an SSH deploy key or a token. Code Climate never writes to repositories.
Source Code Protection on Velocity
Velocity does not persist source code files. At the point our system executes code analysis of source code files, it is performed on ephemeral instances and source code content is immediately purged after processing. We only persist file names and metrics to our database.
We’ve developed the Velocity Agent to provide organizations the flexibility to take advantage of all the Velocity features while keeping their software source code in their GitHub Enterprise instance, running on their own network.
The Velocity Agent is a lightweight component deployed as a Docker container. The Velocity Agent is in charge of processing the GitHub Enterprise webhooks and transferring aggregated data to the rest of Velocity services hosted by Code Climate.
Velocity only ingests metadata and metrics associated with repositories and projects that have been added within the administrative user interface. For each repository, we extract pull requests, reviews, comments and Git commit metadata.
Velocity Agent never extracts source code files from the GitHub Enterprise instance. Extracted data is persisted within our hosted database to support advanced reporting.
Source Code Protection on Quality
In order to display code quality information within the web application, Quality must persist source code files.
We do not currently encrypt repositories on disk because the Code Climate website and services would need to decrypt the source code on demand, slowing down updates and page response times. Any user with shell access to the file system would have access to the decryption routine, thus limiting the security encryption provides. Therefore, we focus on making our machines and network as secure as possible.
Repository data is stored on Code Climate's production servers until deleted by the user. This can be done at anytime by deleting an individual repository or by deleting the account that owns a repository. We do not retroactively delete data from our backups, as we may need to restore data if it was removed accidentally.
Employee Access to Customer Data
No Code Climate staff will access private source code unless required for support reasons, or responding to an incident. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a security issue or suspected abuse.
When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum files and settings needed to resolve your issue. Staff does not have direct access to clone your repository.
Single Sign On (SSO)
Our products support single sign on (SSO) via GitHub.com for authentication. Velocity additionally supports SSO with Bitbucket.com.
Our products provide role-based access control for authorization, allowing you to control who can access application settings, billing information, features, etc.
To make access control easier within larger organizations, Quality supports automatically honoring repository access permissions as they exist within your Github organization.
Password and Credential Storage
Code Climate enforces a password complexity standard and credentials are salted and encrypted using BCrypt.
Our systems have uptime of 99% or higher, and we proactively post status updates for production incidents. You can check our current and historic status at https://status.codeclimate.com/
Network and application Security
Data Hosting and Storage
Code Climate hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS’ best practices which allows us to take advantage from their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security/.
Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across three AWS availability zones and systems will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.
Back Ups and Monitoring
Code Climate uses automation to backup all datastores that contain customer data. On an application level, we produce audit logs for all activity, forward logs to centralized storage for analysis, and use S3 for archival purposes.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. All access to the Code Climate websites is restricted to HTTPS encrypted connections.
Code Climate enforces policies that requires strong password policies and 2-factor authentication (2FA) on GitHub, Google and AWS to ensure access to cloud services are protected.
All data sent to or from Code Climate systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted. We maintain an A+ from Qualys/SSL Labs.
Pentests and Vulnerability Scanning
Code Climate uses third party security tools to continuously scan for vulnerabilities. We regularly engage third-party security firms like NCCGroup to perform thorough penetration tests on our application and infrastructure.
Code Climate implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Additional Security Information
All Code Climate employees complete security awareness training annually.
Code Climate has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Code Climate performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
All employee contracts include a confidentiality agreement.
Code Climate headquarters employs door personnel and badge access is required at all hours. Visitors are required to sign in and be escorted at all times.
When you purchase a paid Code Climate subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.
Reporting An Issue
Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at firstname.lastname@example.org. We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to promptly address any issues that arise.
Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.
Thank you for helping us keep Code Climate safe. We'd also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:
- Ishan Anand
- Kamil Sevi
- Manish Kumar Yadav
- Narendra Bhati
- Yogendra Sharma
- Aditya Agrawal
- Zee Shan
- Stefan Sundin
- Harry Gertos
- Md. Nur A Alam Dipu
- Ismail Tasdelen
Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.