Security

Security is our major concern when it comes to your source code. At Depfu, we make sure our infrastructure is protected and secure so that your most valuable asset is safe and protected from unauthorized access.

System Security

We use the following services to run Depfu:

  • Heroku (security policy) to run all of the components that form the Depfu service and to store data like dependency information, OAuth tokens and user data.

We store data related to Depfu, in anonymized form, with the following services:

  • Papertrail to store logs on all the components of Depfu to allow us to investigate issues. The logs can include names of users and repositories used, but they're scrubbed of any kind of sensitive information.
  • Sentry to collect exceptions that allow us to notice and fix bugs. The exceptions can include names of users and repositories used, but they're scrubbed of any kind of sensitive information.

All traffic to and inside of Depfu is secured and encrypted with SSL/TLS.

Our use of the above services is bound to their respective security precautions and their availability.

Credit Card Data

Depfu does not store or receive any kind of credit card data other than a reference token that allows us to create payments with our 3rd party payments provider Stripe.

How does Depfu access my GitHub account?

When you sign up for Depfu, we collect an OAuth token from GitHub for your user account. This token only allows us to see which GitHub App installations you have already created for Depfu, it doesn't give us access to all your repos.

We can then request tokens for each of your installations, which are scoped per org and include only the repos you have selected. These tokens are only valid for 5 minutes and they allow us to interact with the GitHub API with the permissions we have requested.

These OAuth tokens are stored encrypted in our database and are protected from unauthorized access.

We use this token in these situations, and under no other circumstances than described below:

  • To list the orgs and repositories you have access to. We use this information to show the enabled repositories on the Depfu dashboard.
  • To access the relevant package manager files (Gemfile, Gemfile.lock, package.json, yarn.lock, mix.exs, etc) from your GitHub repository. We read these files to get a list of all the dependencies you are using.
  • Once an update for one of your dependencies comes in, we're creating a branch and a pull request that includes changes to the package manager files.
  • We create issues on your repo to communicate problems Depfu has with a specific repo.
  • We delete branches and pull requests that were created by Depfu in case a new update makes them obsolete.

How does Depfu access my GitLab account?

Unfortunately, GitLab's API permissions and scopes are very broad and allow us a lot of access that we don't really need. We and many others have provided GitLab with feedback about this and hope they come up with a better solution soon.

When you sign up for Depfu, we collect an OAuth token from GitLab for your user account. This token only allows us full API access to your repos and groups.

Instead of using your token to create branches and merge requests (they would show up as coming from your user account, not Depfu), we use the concept of a bot-user:

  • We use your credentials to add the Depfu bot-user to every repo you enable in the Depfu UI. The bot-user gets added with the 'Developer' permission level.
  • We also use your credentials to install a webhook on the repo that informs us about changes to your package manager files and allows us to interact with the merge requests we create.

These OAuth tokens are stored encrypted in our database and are protected from unauthorized access.

We use this token in these situations, and under no other circumstances than described below:

  • To list the projects and repositories you have access to. We use this information to show the enabled repositories on the Depfu dashboard.
  • To access the relevant package manager files (Gemfile, Gemfile.lock, package.json, yarn.lock, mix.exs, etc) from your GitHub repository. We read these files to get a list of all the dependencies you are using.
  • Once an update for one of your dependencies comes in, we're creating a branch and a pull request that includes changes to the package manager files.
  • We create issues on your repo to communicate problems Depfu has with a specific repo.
  • We delete branches and pull requests that were created by Depfu in case a new update makes them obsolete.

We never clone your repo

Under no circumstances does Depfu clone your repo, not even temporarily. We only use the Github/Gitlab API to access it. Depfu also never does any changes to your main branch, we create branches and pull requests, you stay in control if and when to merge them.

We only manually access your code when explicitly requested by you and only in explicit consent with you, and only to debug and help solve issues.

I have more questions about security and Depfu

Send us an email, and we'll get back to you right away!