About Rocro's Security

Rocro is committed to accelerating the software development process by effectively reducing the time and labor spent by developers on code review, load testing, and API documentation. Our tools are engineered to bring faster results with utmost accuracy and optimization while keeping an eye on security and privacy.

We, at Rocro, know that your source code is of key importance for your business. Thus, to protect it, we implement the following security measures:

Authentication

Rocro relies upon GitHub/Bitbucket as identity providers. This means we can analyze your source code in a secure manner, without having access to your login credentials. At any time, you can review the access levels granted to Rocro and even revoke them.

Authorization

Rocro uses an OAuth Token to access your GitHub/Bitbucket repositories and follows the privileges you agree with when the repository is registered. The access levels are defined by GitHub/Bitbucket. Here is a summary of the actions each category of users can perform:

Users with read privileges:

  • View Job's history and execution log
  • Viewing Job's deliverables such as the report in Inspecode

Users with write privileges:

  • Cancel / Retry a job
  • Delete cache

Users with admin privileges:

  • Register / Unregister a repository
  • Change various settings related to the repository (notification settings, regeneration of Webhook / Deploy key, specify the branch to be monitored)

It is important to note that Admin access to a repository is needed to register it with Inspecode.

Scope of the authorization request

To provide the maximum level of security, Rocro’s tools are engineered to follow the principle of least privilege. Thus, every module will access only the information and resources that are necessary for its legitimate purpose

Both GitHub and Bitbucket provide support for authorization scopes which are designed to let users specify exactly what type of access they would like to grant to a specific application such as Rocro. Scopes only limit access for OAuth tokens. They never grant any additional permissions beyond that which the application already has.

When setting up the access for Rocro on GitHub, requested scopes are displayed on the authorization form:

github_authorization_form

You can read the how the GitHub authorization scopes work here.

If you are setting up the access with Bitbucket, a similar authorization form will be displayed:

bitbucket_authorization_form

More details regarding Bitbucket’s authorization scopes can be found here.

It is important to note that Rocro doesn’t need all these rights and does not make use of them. However, as of May 2018, neither GitHub or Bitbucket do not provide more granularity in defining access levels.

In practice, Rocro uses the following privileges:

Read access to:

  • User's email address
  • List of repositories belonging to Organization
  • Commit information
  • Branch/tag information
  • Source code

Write access to:

  • Update Commit Status
  • Push access over HTTPS (when auto-fix is enabled for Bitbucket)

Admin access for:

  • Adding or deleting a deploy key
  • Adding or deleting a webhook.

Personal data

As mentioned, Rocro is committed to protecting customer’s privacy and security. To do so, we store the minimum amount of personal information.

For free users, we are currently saving on our servers only the email addresses.

For paid users, all the data related to billing is handled by Stripe, our payment processor of choice. The personal information needed for billing purposes is as follows: name, email address, street address, credit card information. For more details regarding Stripe’s privacy policy, please check the details here.

Non-retention of source code

Since our tools are engineered to follow the principle of least privilege, Rocro stores only information related to the source code (similar to metadata), not the source code itself.

To achieve this, we pull the source code from GitHub/Bitbucket each time a processing job is executed. Then, the source code and its dependencies are downloaded to an independent container. Once the job is completed, the container is discarded.

As mentioned, Rocro keeps information (like metadata) related to the analyzed source code:

  • Inspecode saves details about identified issues such as tool message, line number for the identified problem and so on. It is important to mention that the code displayed in the snippets is pulled from GitHub/Bitbucket when requested using the requester’s OAuth token. Inspecode does not save or cache source code.

In most cases, the default libraries required to process repositories are destroyed together with the source code when the analysis task is completed and the container is discarded. However, these libraries could also be cached to speed up the process. When cached, the libraries are encrypted and securely saved on Rocro’s servers for a period no longer than one month.

Rocro uses cookies to identify users on the website and Google Analytics to get the useful information needed in order to keep improving our services. For details regarding Google Analytics’ privacy policy, please refer to Use of Google data by Google partner sites and apps.

Encryption

With Rocro, data is always secure and encrypted. All the communication between your computer and our servers, and between our servers and GitHub/Bitbucket is secured using HTTPS. The SSH key registered on GitHub/Bitbucket relies on a 4096 bit RSA key. Furthermore, the information saved on Rocro’s servers is always encrypted using AES-256.

As a result, you can rest assured that your source code is protected both at rest and while in transit.

results matching ""

    No results matching ""