Security
Security is foundational to what we do. Here's how we protect your code and data.
Data in transit
All communication between CodeSheriff and your VCS provider is encrypted over TLS 1.3. Webhook payloads are verified via HMAC-SHA256 signatures.
Data at rest
VCS access tokens are encrypted at rest using AES-256-GCM with application-level encryption before being stored. We never store raw tokens.
Code access
CodeSheriff only reads files changed in a pull request or push. We never clone your entire repository. Code snippets stored in findings are limited to the relevant lines.
Authentication
User authentication is handled by Clerk. JWTs are verified server-side on every request. All resource access is scoped to your organization — IDOR prevention is enforced at the database query level.
Found a vulnerability? Please report it responsibly to hello@thecodesheriff.com