Security is our top priority as we aim to provide confidence and stability for our customers and the wider community.
If you have found a vulnerability in Sail CI, please contact our security team by email at firstname.lastname@example.org.
Upon discovering a vulnerability, we ask that you respect the wider community and do not act on private user data. We would also ask that you work with us to resolve the issue before disclosing it to the broader community. Upon resolution, we always share our learnings.
Here are some topics that we would love to hear any concerns:
We appreciate one of the most sensitive parts involved in CI is the storage of environment variables. Every single repository created with Sail CI gets its own KMS cryptographic key that encrypts their corresponding environment variables. Keys can then be rotated and revoked in an instant per repository in the unfortunate event security is compromised. Environment variables are decrypted only as and when they are needed.
We also ensure that when forked repositories and pull requests build with Sail CI we disable the mounting of environment variables and do not allow mounting of any custom environment variables. Third parties are then unable to output and steal custom environment variables.