100% free for Open Source, forever. Get another set of eyes on your code.

Code Climate Security

I understand the security of your company's source code is extremely important. This page describes select measures we employ to ensure your code is safe. If you have any questions, please don't hesitate to contact us.

-Bryan


Bryan Helmkamp
Founder, Code Climate

Physical security

For more information see https://aws.amazon.com/security/.

System and operational security

We work with multiple respected security firms (like Matasano and Lift Security) to perform regular penetration testing and audits of Code Climate and its infrastructure.

File systems and communication

All access to the Code Climate website is restricted to HTTPS encrypted connections. Private source code is transmitted over SSH connections authenticated with SSH keys and not passwords. Each project added to Code Climate is assigned a unique SSH key which is added to your Git server as a "deploy key". As a static analysis tool, Code Climate never executes source code provided by its users.

User passwords are secured with BCrypt. They are never stored in the database in plaintext and are not readable by staff. Passwords do provide access to the Code Climate website, however, and it is the responsibility of the end user to protect their password with care. Code Climate also offers and recommends optional two-factor authentication for users who would like additional authentication security.

Code Climate never collects or stores passwords for external applications like GitHub, Campfire, HipChat etc. Integration with third-party apps is done via either OAuth or API keys.

Like GitHub.com, we do not encrypt repositories on disk because it would not increase security. The Code Climate website and workers would need to decrypt the source code on demand, slowing down updates and page response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.

Repository data is stored on Code Climate's production servers until deleted by the user. This can be done at anytime by deleting an individual repository or by deleting the account that owns a repository. We do not retroactively delete data from our backups, as we may need to restore data if it was removed accidentally.

Employee access

No Code Climate staff will access private source code unless required for support reasons. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a critical security issue or suspected abuse.

When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum files and settings needed to resolve your issue. Staff does not have direct access to clone your repository.

Finally, it's worth noting that Code Climate's staff is quite small, limiting the number of individuals who would provide you support.

Credit card safety

When you purchase a paid Code Climate subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.

Reporting a security concern

Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at security@codeclimate.com. We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to address any issues that arise ASAP.

Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.

Thanks!

Thank you for helping us keep Code Climate safe. We'd also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:

Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.