Security at GitSnitch
GitSnitch is a security product, so we hold ourselves to the standard we help you enforce. Here's exactly how we protect your data and our own infrastructure.
Our trust model
Three commitments that shape every design decision.
Read-only, always
The GitHub App requests read-only scopes exclusively. GitSnitch cannot push code, open issues, change settings, or modify your repositories. It observes and alerts — nothing more.
Your source code is never stored
Secret scanning clones a commit range into an ephemeral working directory, scans it, and deletes it immediately. We persist alert metadata — the finding, the repo, the actor, the timestamp — not your code.
Least-privilege permissions
We request only the five scopes we actually use, each documented with its reason on the homepage. No blanket org-admin token, no write access, no unexplained scopes.
How your data is protected
Encryption, verification, and session hardening — end to end.
Encryption in transit
All traffic is served over TLS with HSTS enforced (max-age one year, includeSubDomains). Outbound SMTP notifications are delivered over an explicit STARTTLS-upgraded connection — credentials are never sent in cleartext.
Encryption at rest
Sensitive secrets — OAuth tokens, Slack webhook URLs, and outbound webhook signing secrets — are encrypted with AES-256-GCM (key derived via HKDF-SHA256) before they touch the database. They are never stored in plaintext.
Signature-verified webhooks
Every inbound GitHub webhook is verified against its HMAC-SHA256 signature before it is parsed. Deliveries are deduplicated by GitHub's delivery ID, so a replayed payload can't create duplicate alerts.
Hardened sessions
Sessions use short-lived, signed JWTs with refresh-token rotation. Cookies are HttpOnly, Secure, and SameSite=Strict — closing the door on CSRF and cross-site token theft.
Application security
The controls that keep the platform itself hard to attack.
Defense-in-depth headers
A strict Content-Security-Policy (no unsafe-inline scripts), X-Frame-Options: DENY, frame-ancestors 'none', and a strict referrer policy ship on every response.
Continuous dependency scanning
Go and JavaScript dependencies are scanned for known vulnerabilities, and the toolchain is kept current. Reachable advisories are remediated before they reach production.
Rate limiting & abuse controls
Authentication, export, and general API endpoints are rate limited, with Retry-After guidance on throttled responses to protect against brute-force and scraping.
Data handling & retention
What we keep, what we don't, and for how long.
- We store alert and event metadata — event type, repository, actor, timestamp, and finding details — so you can review and audit activity.
- We do not store your repository source code. Secret-scanning clones are deleted immediately after each scan.
- Alert history retention follows your plan (7 days on Free, 90 days on Pro, unlimited on Enterprise). Uninstalling the GitHub App stops all data collection.
- We never sell your data, and we don't share it with third parties except the infrastructure providers required to operate the service.
Responsible disclosure
Found a vulnerability? We want to hear about it. Email us with the details and steps to reproduce, and we'll acknowledge your report quickly and keep you posted through the fix. We don't pursue legal action against good-faith security research that respects our users' data and avoids service disruption.
Honest about what we are
GitSnitch is an independent product built with security-first engineering. We are not yet SOC 2 certified and we won't claim badges we haven't earned. What's on this page is what the product actually does today. Have a compliance requirement? Talk to us — we're happy to walk through our controls.