Code Climate Security
I understand the security of your company's source code is extremely important. This page describes select measures we employ to ensure your code is safe. If you have any questions, please don't hesitate to contact us.
Founder, Code Climate
- Systems are hosted in ISO 27001 and FISMA certified data centers managed by Amazon Web Services
- Physical access is strictly controlled both at the perimeter and at building ingress points
- Data centers employ onsite security staff, video surveillance, and intrusion detection systems
- Authorized staff must pass two-factor authentication a minimum of two times to access data center floors
- Data centers are housed in nondescript facilities
- Physical security verified by third-party auditors
For more information see https://aws.amazon.com/security/.
System and operational security
- Security policies and procedures, regularly reviewed as part of the Amazon Web Services SSAE 16 Type II audit process
- Systems access logged and tracked for auditing purposes.
- Regular system patching processes to provide ongoing protection from exploits
- Firewall to prohibit unauthorized system access
- Intrusion detection systems to provide an additional layer of protection against unauthorized system access
File systems and communication
All access to the Code Climate website is restricted to HTTPS encrypted connections.
User passwords are secured with BCrypt. They are never stored in the database in plaintext and are not readable by staff. Passwords do provide access to the Code Climate website, however, and it is the responsibility of the end user to protect their password with care. Code Climate also offers and recommends optional two-factor authentication for users who would like additional authentication security.
Code Climate never collects or stores passwords for external applications like GitHub, Campfire, HipChat etc. Integration with third-party apps is done via either OAuth or API keys.
Velocity does not store source code files. Velocity executes code analysis of source code on instances that are ephemeral and setup in an isolated way preventing SSH access.
Private source code is transmitted over SSH connections authenticated with SSH keys and not passwords. Each project added to Code Climate is assigned a unique SSH key which is added to your Git server as a "deploy key". As a static analysis tool, Code Climate never executes source code provided by its users.
Like GitHub.com, we do not encrypt repositories on disk because it would not increase security. The Code Climate website and workers would need to decrypt the source code on demand, slowing down updates and page response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.
Repository data is stored on Code Climate's production servers until deleted by the user. This can be done at anytime by deleting an individual repository or by deleting the account that owns a repository. We do not retroactively delete data from our backups, as we may need to restore data if it was removed accidentally.
No Code Climate staff will access private source code unless required for support reasons. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a critical security issue or suspected abuse.
When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum files and settings needed to resolve your issue. Staff does not have direct access to clone your repository.
Finally, it's worth noting that Code Climate's staff is quite small, limiting the number of individuals who would provide you support.
Credit card safety
When you purchase a paid Code Climate subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.
Reporting a security concern
Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at firstname.lastname@example.org. We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to address any issues that arise ASAP.
Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.
Thank you for helping us keep Code Climate safe. We'd also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:
- Ishan Anand
- Kamil Sevi
- Manish Kumar Yadav
- Narendra Bhati
- Yogendra Sharma
- Aditya Agrawal
- Zee Shan
- Stefan Sundin
- Harry Gertos
- Md. Nur A Alam Dipu
- Ismail Tasdelen
Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.