Security
At Semaphore, protecting customer data is a top priority and we take the responsibility of securing it extremely seriously. Thatβs why weβve built our product according to the highest security standards.
β Compliance and Certification
βοΈ SOC 2 Type 2
Our service organization controls have been independently audited against AICPA Trust Services Criteria, validating our ongoing commitment to security. Access to our SOC 2 Type 2 report available on request under NDA.
βοΈ ISO 27001:2022
We have built our Information Security Management System on top of ISO 27001:2022 controls to ensure the best practice protection controls are implemented based on industry standards. Proof of certification is available on request.
βοΈ PCI-DSS
All payments made on Semaphore go through FastSpring, a PCI-DSS Level 1 compliant service.
π Product security
βοΈ Encryption
All data sent to or from Semaphore is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
βοΈ Source code security
Communication with your Git provider is always encrypted and your source code is accessed only through SSH and/or HTTPS.
βοΈ Secrets
Semaphore Secrets allow you to store sensitive data and use it as environment variables inside your jobs.
βοΈ Audit logging
Audit logs allow you to monitor any activity. Use them to assist in forensics, and demonstrate compliance. Audit logs can be securely streamed to your own servers.
βοΈ Runtime isolation
Semaphore runs all builds in isolated sandbox virtual machines that are destroyed after each use.
βοΈ Two-factor authentication
Semaphore inherits 2FA authentication established in your third-party Git provider.
βοΈ Inherited restrictions
Default access rights on Semaphore projects are inherited from repository settings on your third-party Git provider.
βοΈ Role-based access control
We provide multiple user roles with different permissions levels within the product.
π‘οΈ Operational Security and policies
βοΈ Policies
Semaphore has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with employees.
βοΈ Employee vetting
Semaphore performs background checks on all new employees in accordance with local laws.
βοΈ Confidentiality
All employees have signed a confidentiality agreement.
βοΈ Security training
All employees complete security training when they join and are continually refreshed.
βοΈ Engineer security education
All engineers are required to attend additional technical security training.
βοΈ Incident response
Semaphore maintains a well-defined set of protocols for responding to security events. These protocols are regularly tested and updated.
βοΈ Incident Response Team
Semaphore has rotating Site reliability and Incident Response Team that is available 24/7.
βοΈ Partner management
Semaphore requires all third-party vendors to be ISO 27001:2013 certified and to fill out a security questionnaire annually.
βοΈ Access control and permissions
Semaphore follows the principle of least privilege access. Access to customer data is limited to authorized privileged employees who require it for their job responsibilities.
βοΈ Authentication methods
Semaphore runs a zero-trust corporate network. We enforce Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on, GitHub, BitBucket, Google, and AWS to ensure access to cloud services is protected.
π Application Security
βοΈ Secure Code Development (SDLC)
Our Software Development Lifecycle Policy controls delivery, review, and change management processes to minimize any security incidents or downtime
βοΈ Software Dependencies
Semaphore keeps up to date with software dependencies and has automated tools scanning for common security issues including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection.
βοΈ Separate Development Environments
Testing and staging environments are logically separated from the production environment. No customer data is used in our development or test environments.
βοΈ Automated Testing and Build Processes
We have an extensive set of automated testing procedures that are executed for every code change.
π¨ Physical and infrastructure security
βοΈ Offices Security
Semaphore offices are secured by various physical barriers and alarm systems. All visitors are required to sign in and be escorted at all time.
βοΈ Remote offices security
Semaphore ensures safe work from remote locations through policies like a secure environment policy, clear screen and desk policy, ββand equipment siting and protection policy.
βοΈ Data centers
Our application is hosted and managed within Google Cloud Platform secure data centers. This vendor is an industry leader in security and privacy. Our agents are hosted on Hetzner, one of the largest data center operators in Europe thatβs accredited under ISO 27001:2013.
ποΈ Data Security
βοΈ Data storage
Semaphore data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and are only available to the systems that require them.
βοΈ Data Backup
Semaphore maintains a Data Backup Policy for critical systems and requires restoration capabilities within common industry timelines.
βοΈ Logs
We aggregate logs to secure encrypted storage. All sensitive information is filtered from our server logs.
βοΈ Build isolation
Semaphore runs all builds in isolated sandbox virtual machines that are destroyed after each use.
βοΈ Disaster recovery
Each of our services is fully redundant with replication and failover. Services are distributed across multiple availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.
π Network Security
βοΈ Traffic encryption
All data in transit is encrypted via TLS and SSH.
βοΈ Secrets encryption
Semaphore Secrets are encrypted at rest and in transit and injected into the runtime environment at the start of a job.
βοΈ Source code encryption
Source code is always encrypted via TLS and SSH in transit.
βοΈ Systems auditing
Semaphore maintains a formal Audit Policy and audits are conducted annually. This includes internal audits as well as audits by third parties.
βοΈ Vulnerability scanning
Semaphore uses security tools to continuously scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.
βοΈ Firewall
Our servers are protected by firewalls and not directly exposed to the Internet.
Bugs and Reports We Don’t Address πͺ²
We donβt act on the following classes of bugs and common reports:
Credentials in a 3rd partyβs .semaphore/semaphore.yml
Email spoofing, SPF, DKIM, and DMARC errors
No Bounty Program Available π«
Semaphore does not offer bug bounties for discovered vulnerabilities. We hope that if you discover vulnerabilities in the course of your work that you share them with us so we can improve the health of the internet ecosystem.
Contact us βοΈ
Have a question, concern, or comment about Semaphore security?
Please email support@semaphoreci.com for general inquiries
and support+security@semaphoreci.com for emergencies.