Rocro is committed to accelerating the software development process by effectively reducing the time and labor spent by developers on code review, load testing, and API documentation. Our tools are engineered to bring faster results with utmost accuracy and optimization while keeping an eye on security and privacy.
We, at Rocro, know that your source code is of key importance for your business. Thus, to protect it, we implement the following security measures:
Rocro relies upon GitHub/Bitbucket as identity providers. This means we can analyze your source code in a secure manner, without having access to your login credentials. At any time, you can review the access levels granted to Rocro and even revoke them.
Rocro uses an OAuth Token to access your GitHub/Bitbucket repositories and follows the privileges you agree with when the repository is registered. The access levels are defined by GitHub/Bitbucket. Here is a summary of the actions each category of users can perform:
Users with read privileges:
Users with write privileges:
Users with admin privileges:
It is important to note that Admin access to a repository is needed to register it with Inspecode.
To provide the maximum level of security, Rocro’s tools are engineered to follow the principle of least privilege. Thus, every module will access only the information and resources that are necessary for its legitimate purpose
Both GitHub and Bitbucket provide support for authorization scopes which are designed to let users specify exactly what type of access they would like to grant to a specific application such as Rocro. Scopes only limit access for OAuth tokens. They never grant any additional permissions beyond that which the application already has.
When setting up the access for Rocro on GitHub, requested scopes are displayed on the authorization form:
You can read the how the GitHub authorization scopes work here.
If you are setting up the access with Bitbucket, a similar authorization form will be displayed:
More details regarding Bitbucket’s authorization scopes can be found here.
It is important to note that Rocro doesn’t need all these rights and does not make use of them. However, as of May 2018, neither GitHub or Bitbucket do not provide more granularity in defining access levels.
In practice, Rocro uses the following privileges:
Read access to:
Write access to:
Admin access for:
As mentioned, Rocro is committed to protecting customer’s privacy and security. To do so, we store the minimum amount of personal information.
We are currently saving on our servers only the email addresses.
Since our tools are engineered to follow the principle of least privilege, Rocro stores only information related to the source code (similar to metadata), not the source code itself.
To achieve this, we pull the source code from GitHub/Bitbucket each time a processing job is executed. Then, the source code and its dependencies are downloaded to an independent container. Once the job is completed, the container is discarded.
As mentioned, Rocro keeps information (like metadata) related to the analyzed source code:
In most cases, the default libraries required to process repositories are destroyed together with the source code when the analysis task is completed and the container is discarded. However, these libraries could also be cached to speed up the process. When cached, the libraries are encrypted and securely saved on Rocro’s servers for a period no longer than one month.
With Rocro, data is always secure and encrypted. All the communication between your computer and our servers, and between our servers and GitHub/Bitbucket is secured using HTTPS. The SSH key registered on GitHub/Bitbucket relies on a 4096 bit RSA key. Furthermore, the information saved on Rocro’s servers is always encrypted using AES-256.
As a result, you can rest assured that your source code is protected both at rest and while in transit.