User Data Flow

This document outlines the data flow processes for user authentication, code retrieval, data collection and how Reshift secures these processes.

Reshift is designed to help software development teams secure their custom code earlier in the software development lifecycle. The Reshift philosophy is to help development teams shift security left (earlier) within the software development pipeline. Reshift integrates into the developer’s workflow of writing code, performing code review, fixing bugs and deploying, all without burdening the developer with false positives or slowing the software development process down. Reshift achieves that by offering the following:

1- Reshift IDE Plugins: to help the developer quickly scan and fix issues early on. The Reshift IDE plugin runs either on demand or automatically every time there is a build detected through the IDE plugin interface.

2- Reshift CI integrations: the CI integrations are implemented using language specific build plugins (Maven, Gradle, etc). The plugin integrates code analysis into a project’s build cycle. Every time a software project builds, the Reshift plugin will analyze and upload reports to the Reshift servers for processing, informing software development teams of security bugs introduced on a continuous basis.

1. IDE Workflow

User Authentication

The IDE plugin works in an offline mode. No authentication is necessary to use the plugin.

Source Code Access

Reshift Intellij IDE plugin does not send any source code or any project source control information to the Reshift servers. No vulnerability info is uploaded, the plugin operates offline and all data is local to the users’ machine.

User data summary

Persisted (local machine)

· Number of security issues found

· Click data (button panel for scanning and help panel)

2. CI Workflow

User Authentication

The user's agent authentication within Reshift follows the classic OAuth2 grant-flow with the 3 supported source code repository providers: GitHub, GitLab, and BitBucket.

Note: Reshift does not store any user credentials in the database.

The code is scanned locally on the build machine, wherever the Maven or Gradle plugin is integrated. Reshift uploads the reports using the public plugin, hosted on Maven Central, to generate and upload metadata. For a more thorough breakdown of what we upload, refer to this diagram:

Source Code Access

The source code view within Reshift uses the OAuth2 access token to fetch the source code from the service provider on behalf of the authenticated user agent. The user refers to the source code view to look at the source code of a particular vulnerability, usually a few. If the user needs a more extensive view of the source code, they are redirected to the Git Repository to view more source code.

Note: Reshift does not store or cache source code and will only fetch the source code based upon the authenticated user agent’s requests.

User data summary

Persisted

Transient

· OAuth tokens from the git provider

· Git project information

· Branch name and commit hash for scanned versions of the code

· Security bug details

· Source file locations

· Source code path (file path and line number)

· Project dependencies, repo name, and URL

· Git provider username, email, URL

· Git provider Organization name and URL

· An assumption on security bugs that have been fixed

· Intercom support conversations

· Autofix – code is downloaded and deleted