Security Statement of Flowbyte - Florian Munz und Jan Krutisch GbR (Flowbyte) regarding the software Depfu:
Security is our major concern when it comes to your source code. At Depfu, we make sure our infrastructure is protected and secure so that your most valuable asset is safe and protected from unauthorized access.
We use the following services to run Depfu:
- Heroku (security policy) to run all of the components that form the Depfu service and to store data like dependency information, OAuth tokens and user data.
We store data related to Depfu, in anonymized form, with the following services:
- Papertrail to store logs on all the components of Depfu to allow us investigating issues. The logs can include names of users and repositories used, but they're scrubbed of any kind of sensitive information.
- Rollbar to collect exceptions that allow us to notice and fix bugs. The exceptions can include names of users and repositories used, but they're scrubbed of any kind of sensitive information.
- Google Analytics to track visits to our website.
All traffic to and inside of Depfu is secured and encrypted with SSL/TLS.
We reserve the right to change the services used to run Depfu at any time.
Our use of the above services is bound to their respective security precautions and their availability.
Credit Card Data
Depfu does not store or receive any kind of credit card data other than a reference token that allows us to create payments with our 3rd party payments provider.
How does Depfu access my GitHub account?
When you sign up for Depfu, we collect an OAuth token from GitHub, which allows us to request data from the GitHub API on your behalf. This OAuth token is stored securely in our database and is protected from unauthorized access.
The token is bound to permissions set on GitHub, so please make sure you've read their documentation on access control and API access permissions.
We use this token in these situations, and under no other circumstances than described below:
- To synchronize the repositories you have access to. We use this information to show you the available repositories on your profile page so you can enable or disable updating dependendencies for them on Depfu.
- To configure web hooks on a repository you enable on Depfu.
- To access the Gemfile, Gemfile.lock and .gemspec file from your GitHub repository. We initialy read the files to get a list of all the dependencies you are using.
- Once an update for one of your dependencies comes in we're creating a branch and a pull request that includes changes to the Gemfile, Gemfile.lock and/or .gemspec.
- We create issues on your repo to communicate problems Depfu has with a specific repo.
- We delete branches and pull requests that were created by Depfu in case a new update makes them obsolete.
Under no circumstances does Depfu clone your repo, not even temporarily. We only use the Github API to access it. Depfu also never does any changes to your master branch, we create branches and pull requests, you stay in control if and when to merge them.
We only manually access your code when explicitly requested by you and only in explicit consent with you, and only to debug and help solve issues.
I have more questions about security and Depfu
Send us an email, and we'll get back to you right away!