Product Documentation
Product Documentation
Welcome To Reshift
Getting Started
Scan Your First Project
Signing Up Using GitHub
Signing Up Using Bitbucket
Signing Up Using GitLab
Scanning Maven Projects
Scanning Gradle Projects
Granting Reshift GitHub Organization Access After Signing up
Setting Projects Up Using NPM
Integrations
GitHub Actions [JavaScript]
GitHub Actions [Java]
Circle CI
Jenkins
GitLab
Analysis Engine
Java Security Rules
JavaScript Security Rules
Product Features
Code Review Workflow
Autofix
IDE plugins
IntelliJ IDE
Visual Studio Code
Reshift Security Model
Source Code Security in Reshift
User Authentication Mode in Reshift
Report Bundles and Call Graphs
User Data Flow
Common Questions and Answers
How do you ensure Reshift's own security?
How do I know my code is secure?
Why do you need access to my source code?
What permissions does reshift gain access to?
Can I try reshift without giving access to my source code?
Why do I need to sign up with GitHub, Bitbucket, or Gitlab?
Why might my scan be failing?
Can’t load code snippets?
Clean security report?
Account Settings
Permissions
Project Settings
Project Tokens
Security Gates
Reporting
Powered by GitBook

Source Code Security in Reshift

A detailed overview on source code security in reshift, how it works and the security controls in place

Source Code Access

Source code is not stored on Reshift servers; however, file names, git blame and git version information is stored for lines affected by a particular security issue. When an issue is viewed in triage, the source code is queried from the repository provider for each request. Reshift does not access the source code in any background processing.

Project Permissions Model and Visibility

Permissions in Reshift are provided by the underlying repository provider (GitHub, Bitbucket). If a user has read access to a particular repository on Github, then they can also see the project on Reshift. A project may be missing from the list of accessible projects if the required OAuth scope has not yet been granted. For example, a user may not see their organization projects if the organization has not granted permissions on GitHub.

When a project is added to Reshift, any user that has read access to that project will see it in their list. The project does not need to be added for each user; in Reshift a project can only be added once, and applies globally.

Permissions are cached for performance reasons, but are refreshed every 10 minutes, and before a project is added.

Project Security Report Access

Access to the project security reports follows the same permission model as the project. Reporter tokens are used to grant upload access, but do not affect which users can view the submitted reports.

Project Report Upload Capabilities

In order to upload a security report to a Reshift server, a report provider token must be supplied. This controls who may upload to the server, and provides a means of grouping similar reports together. As an example, a build server might upload using the “Daily Build” reporter token, while another build might be configured for a “Production Release” reporter token. These reports will be aggregated under the project in the scans view, but can also be viewed as individual streams of reports. If a token has been compromised, or simply isn’t needed anymore, the report provider token can be revoked, ensuring that no reports using that token will be accepted.

If you have any more questions, please email us at [email protected]!

IDE plugins - Previous
Visual Studio Code
Next - Reshift Security Model
User Authentication Mode in Reshift
Last updated 9 months ago
Contents
Source Code Access
Project Permissions Model and Visibility
Project Security Report Access
Project Report Upload Capabilities