Codemagic CI/CD and security

Last updated on: 03.04.2024

Reviewed by: Martin Jeret, CEO

Security is one of the top priorities for almost all organizations. Any security breach can cause huge damage to the business, including loss of trust, reputation, or in the worst case, loss of the entire business. In this post, we will describe some of the security features of Codemagic CI/CD to give you a better understanding of how we ensure the security of your source code and sensitive information.

  1. CODEMAGIC CI/CD SECURITY MEASURES

    At Codemagic, we take security very seriously and handle all customer data with utmost care. Our infrastructure and software architecture have multiple layers of security mechanisms in place to ensure the security and integrity of your data.

  2. SECURE INFRASTRUCTURE

    The underlying infrastructure for Codemagic builds is secured with SSH, TLSv1.2 or HTTPS protocols for all the networking. It means that all the data you send to Codemagic or receive from Codemagic is fully encrypted. Your builds are run on virtual machines in a private network. Our Mac infrastructure is also physically secured in data centers and the vendors are ISO27001 certified.

    Each build runs in a separate environment where it boots a new virtual image. The build agents are not visible to public network due to firewalls. Only our internal virtual private network can be used to make connections from backend services to the build machines.

  3. SECURITY OF SOURCE CODE

    Codemagic uses your source control system, such as GitHub, Bitbucket or Gitlab, to get access to the CI/CD features. Once you grant access to your source code management tool, we will keep the tokens encrypted in our database. These tokens can only be used to check out the source code on virtual machines.

    When your app is hosted on GitHub, Bitbucket or GitLab, we use OAuth tokens or GitHub app token to perform various other tasks too: list branches, set webhooks, get latest commit information, update commit/PR statuses, etc. The source code checked out during the build is deleted from the virtual machine after the build and never stored on Codemagic. If you ask for our assistance with investigating a possible issue with your build, we can take a look at the build logs which are retained after the build, but only if you share your build link with us.

    Codemagic protects the integrity of your source code and doesn’t alter the code unless you have explicitly specified so in the build scripts. The only exceptions here are some platform-specific files that would have to be modified for successful building. For example, Codemagic modifies the project files for iOS to specify code signing settings during the build and injects a Gradle plugin to the Android component to gather build information and information about the artifacts to be generated.

  4. ENCRYPTION OF SENSITIVE DATA

    You can have Codemagic automatically deploy iOS and Android apps to App Store Connect and Google Play Store. However, in order to deploy apps, we need your login credentials, certificates with private keys, provisioning profiles, keystore file. This information is extremely sensitive and we understand the importance of keeping this data safe.

    Sensitive data is kept securely in an access-limited Google Cloud bucket in AES-256 encrypted form at rest with no backtrace to the original owner on the bucket. Our backend has no read access to the data.

    Encryption keys are secured and managed by Google Cloud Platform. Codemagic uses the default encryption feature documented here: https://cloud.google.com/docs/security/encryption/default-encryption.

    During read and write operations the data travels via TLSv1.2 and HTTPS protocols. Additionally, the data is transmitted in encrypted form and decrypted during build time in the virtual machine that the build is running. Once the job is finished the virtual machine is destroyed.

    Codemagic also enables users to encrypt sensitive information in order to use them in configuration files or during build scripts as environment variables which, will also be masked in build logs unless you excplicitly expose them.

  5. HOW WE STORE DATA

    Your app’s builds take place in virtualized environments. At the end of each build, the virtual environment is destroyed and rebuilt when a new build is initiated using a snapshot that has no knowledge of your app’s source code. All the build data, including your source code, sensitive information, build artifacts and test reports, are cleaned once the build finishes. The only build artifacts that are kept are the ones that are shown in build logs and are available for download.

    We use cookies on our website and that data is shared with third parties. We have 3 main cookie categories: functional, advertisement and performance/analytics. See our privacy policy.

    During active use of Codemagic, your data will be retained. Once an account is deleted all data about the customer is deleted. Build history is kept up to 6 months, anonymous usage information is kept until it is deleted by the customer. For information about cookies and their retention see our privacy policy.

    Customer can delete their account in which case all data about the customer will be removed from our database in 14 days. You can also delete workflows, applications that you have connected and other information that you have shared and these take effect immediately. See our documentation.

    For the purposes of security, our data is segmented into 2 groups - sensitive information and not sensitive information. Sensitive information is kept separate from non-sensitive data and it is encrypted.

  6. COMPLIANCE

    SOC 2 type 2 audit shall be available by end of Q2 2024 and annually thereafter. We have not gone through ISO 27001 audit. To request SOC 2 type 2 report please contact Sales.

  7. ACCESS CONTROL AND AUTHENTICATION FOR USERS

    We support account creation via email login that uses one time passwords (active for 10 minutes), OAuth via GitHub, BitBucket, GitLab and also GitHub app.

    All authentication systems are protected by multi-factor authentication or similar level of protection.

    Authentication with third party applications (GitHub, BitBucket, GitLab) is done via respective provider integration and requires you to authenticate with that provider in order to access to Codemagic services.

    Codemagic also supports single sign-on (SSO), which relies on customer identity provider.

    Codemagic also supports e-mail authentication, which uses one-time passwords that are short-lived (10 minutes) and requires you to authenticate with your email provider in order to obtain the one time password.

    To add repositories customers can use SSH keys or basic authentication via HTTPS protocol.

  8. CHANGE MANAGEMENT AFFECTING END USERS

    We keep the software versions up to date on our machines and share it via release notes. When there is a new Xcode version we will update our machines and point the latest stable version to the one Apple has announced for example.

    We may update our IP address in which case we notify the customers ahead of time.

    We use industry standard practices to test and deploy our code.

    We keep database backups and continuously monitor our service.

  9. VENDOR MANAGEMENT

    Vendor management policy is maintained and reviewed by management once a year as part of Codemagic risk management policy.

  10. BUSINESS CONTINUITY

    Business continuity plan and Disaster recovery plan is tested and reviewed by management once year.

  11. DATA BACKUPS

    We create incremental database backups every 8 hours and full backups every week. Backups are retained up to 14 days.

    Data is stored in Google Cloud Bucket, but backups are stored in AWS S3.

  12. MONITORING AND INCIDENT MANAGEMENT

    Incident management policy is maintained and reviewed once a year by management.

    Our CTO is in charge of incident management and we provide the following service level objectives in our service level agreement for enterprise customers:

    1. response to an incident query - 6 hours;
    2. problem classification (non-critical problem, user error, service error, third-party dependency related issue) - 8 hours;
    3. provision of an interim solution - 3 days;
    4. provision of a fix to a problem related to Codemagic internal service errors. A fix can only be provided for internal service errors - 7 days.

    After we identify an incident we will notify our customers via in-app message, twitter, public announcement and possibly email depending on the severity of the incident.

  13. VULNERABILITY MANAGEMENT

    Penetration test is available on request. Penetration tests are performed once a year by Netsparker certified penetration test partner. Penetration testing is done following these guidelines: https://support.google.com/corporate-suppliers/answer/14435909?hl=en&ref_topic=14294369

  14. LOG MANAGEMENT
    1. We have build logs available for customers in Codemagic web app.
    2. Product usage is tracked anonymously for analytics.
    3. System logs are used internally, which have information about internal services without user data.

    We have an audit in case user requests to remove data. We do not review it regularly build logs are retained along with build history and are available 6 months by default.

  15. INFORMATION SECURITY RESOURCES

    Our CTO manages information security and we have a dedicated data protection officer.

    We do regular risk assessments and use reasonable measures appropriate by law when hiring and train our staff on security and handling confidential information if their role requires it.

    Our Vendors are subject to vendor review and we make all efforts to ensure that sensitive information is secure and access to it is limited and there is appropriate control.

  16. SAFE PAYMENTS

    Codemagic doesn’t process, collect or store any data related to payments. We have no knowledge of your credit card information and are not directly involved in making the transactions. Instead, we use the Stripe payments platform for all payment actions which is integrated into Codemagic by use of designable iframes. Stripe is used and trusted by numerous companies all around the world, including Amazon, Google and Microsoft.

  17. In compliance with EU’s General Data Protection Regulation, we are committed to keeping your sensitive data and private information safe. We protect your personal information and private data by encrypting all the network traffic between you and our servers and storing your data in an encrypted format, as also stated in our privacy policy.

  18. REPORTING SECURITY INCIDENTS

    To report any security incidents please email: info@codemagic.io.

  19. CONCLUSION

    As a CI/CD service provider to both individuals and businesses, we consider security one of our key concerns. Now that you know more about the security measures we have in place, we hope you can rest assured that your sensitive data, intellectual property and source code are safe with us. If you have additional questions about security on Codemagic, do not hesitate to reach out to us at info@codemagic.io.