Security Policy

Last Update: Jul 30, 2020

This document is intended to help our customers' security, risk, compliance, or developer teams evaluate what we do with our customers' code and data.

In this document we refer to portions of the application code and its dependent libraries, frameworks, and programming languages.

Reporting

For security inquiries, please email support@stickler-ci.com.

What happens when you authenticate your GitHub account

Stickler CI uses the github3.py to obtain access to your GitHub account using GitHub’s OAuth2 features. This provides Stickler CI with a GitHub access token for your account.

Using OAuth2 means we do not have access to your GitHub password and that you can revoke our access at any time.

Your GitHub token is needed to fetch organization, and repository metadata used to render the Stickler UI. This token is encrypted and stored in our MySQL database on DigitalOcean.

What happens when Stickler CI refreshes your GitHub repositories

Our frontend application uses your GitHub token and synchronously fetches all your repositories, syncing only repository metadata to our MySQL database. Refreshing your GitHub repos allows you to later enable Stickler CI on those repos.

What happens when you enable Stickler CI on your GitHub repository

When you click the "Enable" button in the Stickler CI web interface we update the repository metadata in our database. No modifications are done in GitHub as all repository access and webhooks are defined in the GitHub App configuration.

What happens when you pay for Stickler CI

When you enable a private GitHub repository with Stickler CI, we use Stripe Checkout to collect and send your credit card information to Stripe, a payment processor.

Your credit card data is sent directly from your web browser to Stripe over a TLS connection. It is never sent through Stickler CI's servers and we never store your credit card information.

We receive a token from Stripe that represents a unique reference to your credit card within the context of Stickler CI’s application. We store that token in our database.

Read Stripe’s security policy for information about PCI compliance, TLS, encryption, and more.

What happens when we receive a pull request notification

When you open a pull request on your GitHub repo, or push a new commit to the branch for that pull request, Stickler CI receives the payload a enqueues a job in RabbitMQ with a subset of the webhook payload. This payload doesn't contain any code. It contains metadata about the pull request such as repository, user, and commit.

A review consumer gets the message from RabbitMQ. Using the information from the payload, we generate an access token for your installation of our GitHub app. Then, your repository is cloned so that we can read your code and configuration files. Your code is mounted into docker containers where Linting tools are run.

Once the review is complete, comments are collected and submitted to GitHub through the check API. Afterwards, all container filesystems and your code are removed from our servers.

Employee access

All Stickler CI employees have access to change Stickler’s source code and to push it to GitHub.

All Stickler CI employees have access to Stickler’s staging and production applications and databases. They can deploy new code, or read and write to the databases.