Security Policy

Last Update: Mar 23, 2018

This document is intended to help our customers' security, risk, compliance, or developer teams evaluate what we do with our customers' code and data.

In this document we refer to portions of the application code and its dependent libraries, frameworks, and programming languages.

Reporting

For security inquiries, please email support@stickler-ci.com.

What happens when you authenticate your GitHub account

Stickler CI uses the github3.py to obtain access to your GitHub account using GitHub’s OAuth2 features. This provides Stickler CI with a GitHub access token for your account.

Using OAuth2 means we do not have access to your GitHub password and that you can revoke our access at any time.

Your GitHub token is needed to fetch file content, comments, repository information and update Pull Request statuses. This token is encrypted and stored in our MySQL database on DigitalOcean.

What happens when Stickler CI refreshes your GitHub repositories

Our frontend application uses your GitHub token and synchronously fetches all your repositories, syncing only repository metadata to our MySQL database. Refreshing your GitHub repos allows you to later enable Stickler CI on those repos.

What happens when you enable Stickler CI on your GitHub repository

When you click the "Enable" button in the Stickler CI web interface for one of your private GitHub repositories, we use your GitHub token to add the @sticklerci GitHub user to your repository via the GitHub collaborator API. This is necessary for @sticklerci to see pull requests, make comments, and update pull request statuses.

We also create a webhook on your repository via the GitHub webhook API. This allows us to receive pull request notifications, and start reviews.

What happens when you pay for Stickler CI

When you enable a private GitHub repository with Stickler CI, we use Stripe Checkout to collect and send your credit card information to Stripe, a payment processor.

Your credit card data is sent directly from your web browser to Stripe over a TLS connection. It is never sent through Stickler CI's servers and we never store your credit card information.

We receive a token from Stripe that represents a unique reference to your credit card within the context of Stickler CI’s application. We store that token in our database.

Read Stripe’s security policy for information about PCI compliance, TLS, encryption, and more.

What happens when we receive a pull request notification

When you open a pull request on your GitHub repo, or push a new commit to the branch for that pull request, Stickler CI receives the payload a enqueues a job in RabbitMQ with a subset of the webhook payload. This payload doesn't contain any code. It contains metadata about the pull request such as repository, user, and commit.

A review consumer gets the message from RabbitMQ. Using the information from the payload, your repository is cloned so that we can access your code and configuration files. Linting tools are run in separate docker containers with only your code mounted into them.

Once the review is complete, comments are collected and submitted to GitHub through the commenting API. Afterwards, all container filesystems and your code are removed from our servers.

Employee access

All Stickler CI employees have access to change Stickler’s source code and to push it to GitHub.

All Stickler CI employees have access to Stickler’s staging and production applications and databases. They can deploy new code, or read and write to the databases.