Security

Our Security

Sleeek is a solution that requires access to customers’ Git repositories on GitLab and GitHub in their cloud servers, and collects data for analysis in order to gain insights into code. It is our highest priority to keep your source codes as secure as possible, with multiple levels of security protocols.

Built with industry-best security practices


Secured storage footprint

  • We encrypt code before storing in our cloud servers  

  • Storage itself uses Amazon EBS Encryption

  • Analysis server and storage server cannot be accessed even by Sleeek developers


Facilitate opt-out

  • When a repository is de-registered, the related data is pursed

  • All data promptly removed if you terminate service

  • Your account is not shared by others 


Why do you need write access to my repos?

For GitHub, we need only read for entire repo to enable our code analysis. Please refer GitHub App Permissions.

On the other hand, GitLab's scopes for API access doesn't differentiate between "read" and "write" access, hence, even as we only read data from your commit diffs, we have to use the whole API access to read it ("read" access only lets us clone repositories, which we do not do).


What do you do with each of the authorizations you ask for?

For GitHub:

  • "Read-only" Permission on "administration" for Repository

  • "Read-only" Permission on "contents" for Repository

  • "Read-only" Permission on "issues"

  • "Read-only" Permission on “Repository metadata”

  • "Read-only" Permission on "pull requests"

  • "Read-only" Permission on "single file"

  • "Read-only" Permission on "statuses" for Commit

  • "Read-only" Permission on "members" for Organization

For GitLab:

  • "api" grants complete access to the API and Container Registry (read/write) (introduced in GitLab 8.15). Required for accessing Git repositories over HTTP when 2FA is enabled.

  • “read _repository” allows read-access (pull) to the repository through git clone.

These authorization scopes are pretty broad and cannot be constrained to specific actions. However, we will never create pull requests, merge pull requests, or delete branches without your explicit approval. Here's some information on GitHub Apps authorization scope and GitLab's token scopes. You can revoke all of these permissions at any time via your authorized Github Apps and Installed GitHub Apps settings page on GitHub, or your applications page on GitLab, but doing so may result in an interruption of service.

 

Where is my data stored?

As we analyze your code, we store lines that are relevant to the specific commits being analyzed.

Sleeek is built on Amazon’s AWS. To find out more information about Amazon’s security and infrastructure, please visit their security statement: https://aws.amazon.com/security/.

The source code lines are stored in encrypted file system on another encrypted storage. The analysis server instances and storage instances are not accessible by human users. These instances are automatically built and only applications in these instances can access each source code.

Who has access to my imported data? 

The development team at Sleeek has access to the main Sleeek cloud database. Sleeek developers are permitted to simulate account login only for the purposes of debugging problems you may report to us.

Contact: support@sleeek.io

ref. Sleeek system structure

 
スクリーンショット 2019-06-26 10.22.56.png