Security is core to everything we do

We know that source code is one of your most sensitive assets. Every component of Sourcegraph was designed with security in mind. We've detailed our strict production security guidelines for customers below.

We don't stop at keeping your code safe. When your team's developers use Sourcegraph, they can discover and use your own security best practices much more easily in your own code. Your team can also more easily enforce security standards during code review.

If you have specific questions or concerns, contact us at [email protected].

If you think you have discovered a security vulnerability in our product, please follow our instructions on how to report a security vulnerability.

Sourcegraph on-premise

Sourcegraph instances that host private code are typically deployed on-premise and therefore Sourcegraph employees have no access to customer data or code.

Self-hosted Sourcegraph instances do not send any customer code to other servers.

Additionally, other than the email address of the initial installer (for customer support, security, and product notification purposes), Sourcegraph never sends any private user data, such as usernames or email addresses, or other specific data to any other servers, including to sourcegraph.com.

Learn more in our pings documentation.

Code host ACLs

Sourcegraph can be configured to enforce repository permissions from code hosts. Unit and integration tests protect the correctness of these permissions checks.

Data access

When running Sourcegraph on your own infrastructure, all application logs are stored locally, and never shared with Sourcegraph. Sourcegraph employees and contractors never have access to your Sourcegraph instance, or any of its data, unless explicitly shared for troubleshooting purposes.

We maintain the following policies for sourcegraph.com data and any data provided via email or other support channels:

  • Access to all internal systems is protected by multi-factor authentication. Access is restricted to those who require it to perform their job, and is regularly reviewed and revoked upon termination or when no longer needed.
  • Service, application, and access logs for sourcegraph.com are stored centrally by Sourcegraph and monitored.
  • Company policy prevents customer data from being downloaded to portable devices, such as phones, that don't have device management software in place.
  • Sourcegraph deploys Mobile Device management (MDM) for centralized management of remote devices.
  • Laptops have encrypted hard drives.

Network security

When running Sourcegraph on your own infrastructure, you are protected by the network security policies enforced by your infrastructure environment.

On sourcegraph.com, we maintain the following policies:

  • All production systems are hosted on Google Cloud Platform (https://cloud.google.com/security/), where all storage volumes are encrypted at rest, and data is encrypted in-cloud during transport.
  • All external network communication between production services occurs over TLS.
  • External access to production systems is restricted by firewall. Secrets that grant access to compute resources are stored only on encrypted local drives or a secret management service.
  • Our dedicated security team at Sourcegraph handles all security escalations, and is available 24x7x365.
  • Customer data can be permanently wiped from all primary and backup systems within 7 days of request.

Site security

Sourcegraph supports HTTPS encryption when deployed on your own infrastructure.

On sourcegraph.com, we maintain the following policies:

  • All traffic to sourcegraph.com is transmitted over HTTPS.
  • Our operations team monitors service availability 24x7x365. They investigate alerts and potential attacks 24x7x365, triaging and responding if necessary.

Development

Code reviews are mandatory for all code changes to our product. Security-sensitive pull requests must undergo review by the proper security code owner. Furthermore, internally, we use our own product to provide critical context during code reviews (such as identifying dependencies of modified code).

We use a number of static analysis tools to identify security risks in development, including the following:

  • Language-specific linters
  • Notifications and alerts for risky code patterns using Sourcegraph saved searches
  • Code coverage tools to ensure unit test coverage
  • End-to-end tests to validate authentication workflows
  • Tools such as Dependabot and GitHub security advisories to identify security vulnerabilities in our code and in dependencies

Updates

Sourcegraph follows commonly recognized best practices for updating software dependencies.

  • We monitor source-level dependencies for CVE patches.
  • We monitor the Alpine Linux release notes to be aware of patches for CVEs and upgrade our base Docker images as necessary.
  • If we are alerted to a vulnerability that exists in a version of Sourcegraph that would compromise the privacy of a customer's code, we will notify the affected customers immediately. Patch releases that fix the vulnerability will be prioritized as a P0, which means work will commence immediately rather than waiting until the next planning phase.

Customers are encouraged to update to the latest release of Sourcegraph every month. This will ensure that their Sourcegraph instance has the latest security-related updates. New releases are published on the 20th of every month, so customers that wish to stay up-to-date can set monthly calendar reminders, or subscribe to Sourcegraph emails to receive the following updates: