Privacy and Security
Security
Overview
CodeSee analyzes your code to calculate dependencies and other insights. We do not store your code on our servers — we analyze it on GitHub's servers using a GitHub Action.
We maintain SOC-2 Type II compliance. Please email [email protected] to receive our SOC-2 report.
Data
CodeSee does not store your code on our servers — we analyze it on GitHub's servers using a GitHub Action.
At this time, we do store various metadata about your code: the file names and directory names from your codebase, as well as simple connections between them (file A imports file B) and the git commit hashes, but not the commit messages or the contents of the files. We also store file metadata like the creation date of each file, and the number of commits on each file in the past month.
For code reviews, we also store the pull request number, and the branch name, in order to identify the pull request. But again, no commit messages or file contents. We display additional information as part of our UI by querying the GitHub API, but we do not store it. This includes information like pull request name and description, file contents, and comments.
By default, CodeSee auto-updates to new versions and collects usage data and crash report information. You may opt-out of these defaults by sending an email to [email protected].
GitHub Permissions
We currently request the following GitHub permissions via the CodeSee Maps GitHub App to ensure that you have a smooth experience using CodeSee.
Access to Content and Workflows
We currently run our code analysis using a GitHub action (though more options are on the way). Your code is analyzed on GitHub's servers -- we do not store it! Our action sends us aggregate data and metadata about your codebase and then we use that to create your Map, to make insights, and more.
In addition, these permissions enable us to open PRs (dependabot style) to install and update the CodeSee Map workflow in your repo to the latest configuration. Finally, if you use our Code Review feature (Review Maps), we display code changes in our UI alongside a Map of the pull request. We do so by requesting only the relevant code using GitHub's APIs, and transmitting it securely over https. Again, we do not store your code.
Access to Pull requests
For pull requests, we generate and post a Review Map on each pull request so that you can see how your change fits within the larger architecture. This image is also a link to the interactive code review interface in the CodeSee app. We need these permissions to post that image.
We also post automated checklists and reminders, and enforce those checklists are completed using the GitHub Checks API.
Access to Actions
These permissions allow us to monitor our GitHub Action, present progress indicators in-app, and help you troubleshoot if something goes wrong.
Access to Repo Administration Organization Members
We use information about who has access to your repo and organization in order to limit who has access to your CodeSee Maps. That way, all those and only those who have access to your repo can have access to your Maps about that repo
We also use this information to provide autocomplete functionality so you can "@" your teammates from within CodeSee using their github handle.
‼️ Note about Act on your behalf
This message "Act on your behalf" appears when you connect your GitHub identity to CodeSee. It is, unfortunately, very misleading. CodeSee only requests the permissions as described above (which you can see on your installation page.
These permissions are not granted when you click the button as appears above. They are only granted on a per-repository / per-organization basis when you connect the CodeSee GitHub App with that org or repo. GitHub's documentation explains this in more depth.
There is a long thread discussing this weird "Act on your behalf" wording here
on GitHub's own community forum.
GitHub Permission Details
GitHub Permission | CodeSee Feature |
---|---|
Actions (read/write) | Detect CodeSee GitHub Action runs, troubleshoot issues, and rerun |
Administration (read) | - Get the list of teams on GitHub in order to autocomplete when typing @ in a comment or an Automation - Get the list of labels on a repo in order to autocomplete in an Automation - Detect if GitHub actions are enabled to facilitate installation and troubleshooting of the CodeSee GitHub Action |
Checks (read/write) | Enforce automated checklists are completed before merging a GitHub Pull Request. |
Contents (read/write) | - Read access is used to render your code from within the CodeSee product so that your maps are tightly integrated with your code. - Write access is used only to simplify the install steps when installing the CodeSee GitHub Action on a repo without branch protection |
Issues (read) | Maintain and update automated checklists on GitHub Pull Requests. |
Members (read) | Autocomplete when typing @ in a comment |
Metadata (read) | This is a mandatory permission. All GitHub Apps must have this permission to function. |
Pull Requests (read/write) | CodeSee Review Maps are interactive visualizations of each pull request, and enable bi-directional GitHub comment syncing. |
Please contact us at [email protected] with questions, feedback, or feature requests.
Updated 10 months ago