Source Code Security in Reshift
A detailed overview on source code security in reshift, how it works and the security controls in place
Source code is not stored on Reshift servers; however, file names, git blame and git version information is stored for lines affected by a particular security issue. When an issue is viewed in triage, the source code is queried from the repository provider for each request. Reshift does not access the source code in any background processing.
Permissions in Reshift are provided by the underlying repository provider (GitHub, Bitbucket). If a user has read access to a particular repository on Github, then they can also see the project on Reshift. A project may be missing from the list of accessible projects if the required OAuth scope has not yet been granted. For example, a user may not see their organization projects if the organization has not granted permissions on GitHub.
When a project is added to Reshift, any user that has read access to that project will see it in their list. The project does not need to be added for each user; in Reshift a project can only be added once, and applies globally.
Permissions are cached for performance reasons, but are refreshed every 10 minutes, and before a project is added.
Access to the project security reports follows the same permission model as the project. Reporter tokens are used to grant upload access, but do not affect which users can view the submitted reports.
In order to upload a security report to a Reshift server, a report provider token must be supplied. This controls who may upload to the server, and provides a means of grouping similar reports together. As an example, a build server might upload using the “Daily Build” reporter token, while another build might be configured for a “Production Release” reporter token. These reports will be aggregated under the project in the scans view, but can also be viewed as individual streams of reports. If a token has been compromised, or simply isn’t needed anymore, the report provider token can be revoked, ensuring that no reports using that token will be accepted.