At Spectral, we believe that simplicity improves security. That is why we have tried to make our product as self-sufficient as possible, free from continuous calls to a central server not in your control.
However, we do need to occasionally collect and post data and post data to enable the best possible experience for the developers. These calls can be to Spectral’s cloud estate or your remote git repositories.
This document explains when, where, and why we collect data across our entire service. We cover what’s sent to the SaaS Dashboard, what’s queried when you install the scan engine, and what happens when you run a scan.
The Spectral Dashboard is both SOC2 and ISO27001 compliant, so you know that your data is safe with us. We host our platform in AWS and protect our estate using Check Point CloudGuard Native.
We never store sensitive data about the scan results and only ingest the bare minimum of metadata. This includes information about what code we scanned, when the scan occurred, and a (sanitized) summary of the scan’s findings.
All scans are performed locally so that your source code and sensitive data never leave your machine.
All data transmitted over the internet are encrypted at rest with managed keys. We use the modern and safe TLSv1.2 encryption protocol to ensure your data is secure in transit.
When you install the Scanner (which you can learn about here), you download a self-contained binary that does not need any other internet connection to run. Currently, we support the following platforms:
Updating the scan engine overwrites the existing binary.
During the installation and update process, we make only two requests to the SaaS platform:
Based on what you are scanning, we might make some additional requests:
Spectral scanners can be configured to scan locally without external network access. No further data is requested or sent if you scan a local repository.
For scans of remote repos, we need to get the code from the remote repository provider (e.g., GitHub, Bitbucket). To do this, we first get a list of repositories, then enumerate each one, clone each repository and run the scan locally.
Once a scan is complete, we delete the cloned repository from the local environment.
If you use the CI/CD integration, the code will perform all the requests from the Installation & Update and Scanning sections. The integration makes requests in the order laid out in this document.
Note: The customer is responsible for maintaining the environment’s security from where the scan is run.