Security

Any significant updates to this document will be communicated via email.

Reporting security issues

If you discover a security issue in Deliverybot, please report it by sending an email to [email protected].

This will allow us to assess the risk, and make a fix available before we add a public bug report or CVE. We will notify users via email of any critical security vulnerabilities that may affect them.

Patch management

Deliverybot runs on higher level Google Cloud infrastructure. As such we do not patch server level constraints. Patches for security issues with dependencies will be patched as soon as is reasonably possible. For critical issues we will issue a patch within 24 hours.

Access management

Deliverybot operates under a principle of least priviledge and aims to read the least amount from your GitHub repository as possible. Deliverybot is focused primarily on triggering GitHub events and therefore does not require code access to your repository (except for .github/* files).

There are two access modes to Deliverybot:

  • Web access (using oauth).
  • Server access (using GitHub app JWT).

OAuth access handles any page that you access in your browser at app.pipelinebot.com. Any API calls to GitHub are made using the current users access token and we simply delegate to GitHub’s access policies in this case for controlling deployment access and other features.

Slack also uses the web access method. We simply associate a Slack user with a GitHub user and store the access token connecting those accounts. We do not use this access token offline.

Server access is for handling automatic deployments and other features where Deliverybot needs to process events from your repository and respond with a message to GitHub. This is handled using the GitHub app json web token.

Account information

Account information is processed in adherence to our privacy policy. We always aim to store the minimum amount of information required to process deployments across your repositories.

Sessions

Sessions are managed at app.pipelinebot.com using an encrypted cookie which associates a users oauth token which expires within 24 hours.

Access control

As mentioned, all access to deployments and other features is governed by a users permissions on GitHub. A read only user on a repository will not have the ability to deploy code using the web interface.

Scopes

The following are the current permissions and events required with a short description of why. You can confirm this by viewing permissions requested when you install Deliverybot:

Checks read

https://developer.github.com/v3/apps/permissions/#permission-on-checks

Deliverybot must know when checks have changed state to trigger different automatic deployment workflows.

Contents read

https://developer.github.com/v3/apps/permissions/#permission-on-contents

Deliverybot must know when push events and release events occur to trigger automatic deployments.

Note: We do not store your code. Unfortunately this is the only way we can get access to push, commit and release events.

Deployments write

https://developer.github.com/v3/apps/permissions/#permission-on-deployments

Deliverybot triggers deployments :)

Issues write

https://developer.github.com/v3/apps/permissions/#permission-on-issues

Deliverybot writes deployment failures on a pull request to the comments.

Metadata read

https://developer.github.com/v3/apps/permissions/#metadata-permissions

Pull requests read

https://developer.github.com/v3/apps/permissions/#permission-on-pull-requests

Deliverybot reads pull request comments for /deploy * commands.

Commit statuses write

https://developer.github.com/v3/apps/permissions/#permission-on-statuses

Deliverybot will write status checks for promoted builds or other step changes.