Security Practices

How we keep your code and data safe

How We Handle Your Code

When you submit a repository for analysis, we perform a shallow clone (minimal history) of the repository, run our analysis pipeline against it, and delete the clone immediately after processing is complete. Your source code is never stored on our servers beyond the time needed for analysis.

No Code Storage

  • Source code is cloned temporarily and deleted after analysis.
  • Only metadata and findings are stored — file paths, line numbers, issue descriptions, scores, and metrics.
  • Code snippets included in findings are limited to the minimum context needed to understand the issue.
  • We never share your raw source code with third parties.

Encryption

  • TLS everywhere — All connections to Repobility are encrypted with TLS 1.2+.
  • HSTS enabled — HTTP Strict Transport Security headers are set to prevent downgrade attacks.
  • Data at rest — Database and file storage are encrypted at rest.
  • Secure tokens — Service API keys are generated with cryptographically secure randomness, hashed at rest, scoped, expirable, and revocable.

Authentication

  • Provider tokens — Private repository credentials are stored encrypted and used only for runtime clone, API, and change-check operations.
  • Bcrypt passwords — For email-based accounts, passwords are hashed using bcrypt with a high work factor.
  • Session security — Sessions are secured with HttpOnly, Secure, and SameSite cookie attributes.
  • CSRF protection — All state-changing operations are protected against cross-site request forgery.

Infrastructure Security

  • Docker isolation — Each analysis job runs in an isolated Docker container with limited privileges and resource constraints.
  • Rate limiting — API and analysis endpoints are rate-limited to prevent abuse and ensure fair usage.
  • Dependency scanning — We regularly scan our own dependencies for known vulnerabilities.
  • Minimal permissions — Services run with the least privilege necessary.

Responsible Disclosure

If you discover a security vulnerability in Repobility, we encourage responsible disclosure. Please report it to [email protected].

  • We will acknowledge receipt within 48 hours.
  • We will work with you to understand and resolve the issue promptly.
  • We will not pursue legal action against researchers who follow responsible disclosure practices.

Bug Bounty Program

We maintain a bug bounty program for qualifying security vulnerabilities. Severity, scope, and reward details are available upon request. Contact [email protected] for our current bug bounty policy and scope.