Security at Sourcegraph

We know that source code is one of your most sensitive assets. Every component of Sourcegraph was designed with security in mind.

Contact our security team
Product Security
Trust & Compliance
Bug Bounty

Sourcegraph Cloud

Infrastructure

  • All infrastructure is hosted on Google Cloud Platform and managed through Terraform.
  • Customer instances are provisioned in fully segregated GCP environments, ensuring that customer data is fully segregated.
  • All storage volumes are encrypted at rest, and data is encrypted during transport from code host to cloud environment.
  • Sourcegraph leverages permission management tools for just-in-time access and group based permissions to enforce least privilege access across our cloud infrastructure.
  • Domains are managed through Cloudflare and use its security capabilities, like Web Application Firewall and Rate Limiting.
  • External access to production systems is restricted by firewall. Secrets that grant access to compute resources are stored only on encrypted local drives or a secret management service.
  • Instances are updated monthly, and are actively maintained to keep the service up and healthy.
  • Instances are updated for security patches as needed, according to Sourcegraph's Vulnerability Management Policy.
Monitoring and Incident Response
  • Our operations team monitors service availability 24x7x365. They investigate alerts and potential attacks 24x7x365, triaging and responding when necessary.
  • We only log information crucial for security and support. Only restricted personnel have access to user data. Logs are stored in GCP and the information is retained for up to 365 days. Find out more in our Privacy Policy.
  • Service, application, and access logs are stored centrally by Sourcegraph and monitored.You can find more details in our Incident Response Policy.
  • Only restricted Sourcegraph employees have access to a customer's instance, strictly for support and maintenance purposes. Access is logged and monitored.
  • Sourcegraph employees access the instance through secure SSO means, ensuring MFA protections and more.

Sourcegraph self-hosted

Sourcegraph self-hosted gives you the most control over deployment and security options.

  • Sourcegraph self-hosted instances do not send any customer code to other servers. Sourcegraph employees have no access to customer code.
  • Other than the email address of the initial installer (who we may contact regarding sales, product updates, security updates, and policy updates), self-hosted Sourcegraph instances do not send any personal data to other servers. Learn more in our pings documentation.
  • When self-hosting Sourcegraph, all application logs are stored locally and never shared with Sourcegraph (the company). Sourcegraph employees and contractors never have access to your Sourcegraph instance or its data unless explicitly shared for troubleshooting purposes.
  • Authentication via SAML, OAuth, HTTP Proxy auth, and OpenID Connect is configurable. Basic authentication is enabled by default.
  • Enterprise customers can configure Sourcegraph to enforce repository permissions from connected code hosts. Sourcegraph also exposes a GraphQL API to explicitly set repository permissions.
  • Encryption at-rest and in-transit are configurable and highly recommended.

Shared security model for Sourcegraph Cloud and Sourcegraph.com

  • For these products, Sourcegraph (the company) handles the security of the applications, the systems they run on, and the environments those systems are hosted within.
  • As a customer you are responsible for the proper management of information on your account, ensuring that access tokens are properly handled, and ensuring that code host connections and linked repositories are correctly configured. You control users, access to your data, and what extensions you install and trust. Finally, you are responsible for ensuring your company is meeting compliance requirements and have awareness of the impact the previous items can have on the confidentiality of your code.

General security practices

Development
  • Access to all internal systems is protected by multi-factor authentication. Access is restricted to those who require it to perform their job, and is regularly reviewed and revoked upon termination or when no longer needed.
  • Code reviews are mandatory for all code changes to our product. Security-sensitive changes are additionally reviewed by the security team before being released.
  • Furthermore, internally, we use our own product to provide critical context during code reviews (such as identifying dependencies of modified code).
  • End-to-end tests to validate authentication and other critical workflows (such as authorization and authentication).
  • We do not store sensitive keys and passwords in our code, instead relying on a secure secret vault.
  • Our software components are monitored for CVEs.
  • We publish signatures and Software Bill-of-Materials (SBOM) for our container images, allowing customers to verify the security of our products for themselves.
Code Security
  • We employ various tools and processes to ensure Sourcegraph’s code remains secure.
  • Containers are scanned for CVEs using GCP provider-specific tooling.
  • Code coverage tools are used to ensure unit test coverage.
  • 3rd party penetration tests are conducted annually.
  • Internal audits of our code and systems are run regularly.

Software Bill of Materials and OSS usage

Sourcegraph is an OSS product licensed under Apache 2.0. We also make great use of open source components and ship them as part of our application. Full lists of tools and licenses can be found here.