To provide you with a user account, Gitpod will be processing basic personal information (such as name, username, email) from your code repositories user account(Github, Gitlab or Bitbucket). Furthermore Gitpod will have access to code repositories authorised by you including all data it contains.
Access to code repositories is achieved via OAuth tokens. When granting Gitpod access to a repository, an authorization token will be generated covering the scope you have defined. It is possible to revoke and re-authorize anytime.
All Workspace content as well as any environment remain encrypted at rest (via AES256) and in-transit (TLS 1.2). Be aware that you can start sharing your workspaces and snapshots too, this will make its content available to others.
Regardless of which secrets you will be putting into Gitpod, they will all be secured in the same manner so this is primarily a question of your overall risk appetite. When sharing a workspace or snapshots you want to make sure they are authorised to know this information.
Gitpod is 100% cloud based. Computing, Network and Storage resources are provided by Google’s comprehensively secure and compliant Cloud Platform (GCP). You can review Google’s security certifications and controls at https://cloud.google.com/security/compliance. Gitpod’s Cloud Infrastructure is subject to frequent security assessments such as pentestings, performed by an independent third-party.
Users must have access to the underlying git repo to be able to open snapshots of a workspace. When sharing a running workspace, knowing the URL is sufficient to access the workspace.
For support purposes and with your consent, a selected group of Gitpod staff can look into the workspace content and therefore related code repositories to help with troubleshooting. Of course, this would only work with repositories Gitpod has been granted access to. This type of access is subject to logging and is continuously reviewed.
No, Gitpod does not scan Workspaces for source code.
If we accidentally commit a secret in our Github repo and spin up a Gitpod instance containing that secret, is Gitpod performing any secret analysis and scrubbing?
We are not scanning the source code within workspaces for secrets.
We value feedback from Security Researchers around the globe. Please report any security issues or concerns via firstname.lastname@example.org or https://www.gitpod.io/security/. The more details you can provide, the easier it will be for us to triage and fix the issue.
Yes, Gitpod is GDPR compliant and by default only relies on basic personal information to provide you with an user account. Gitpod provides you with a Data Processing Agreement incorporating the standard contractual clauses for international data transfers. You can find more information within our Trust Center
Gitpod is SOC 2 Type II compliant with annual audits being performed by an independent third-party, to assess the overall appropriateness of our security controls. You can request a copy of our report along with other security documentation inside our Trust Center (NDA required).
Gitpod is not intended nor designed to process HIPPA or PCI DSS relevant data. Be sure to filter data to prevent it from being sent to our service to cope with compliance requirements.
In Gitpod Dedicated, you will be provided with your own entirely isolated deployment managed by Gitpod Staff.