Security at Gitpod

Gitpod is trusted by over 450k developers and companies that are moving their dev environments to the cloud.

Talk to an expert

Trusted by developer led companies

freeCodeCamp
DataStax
Secure

Secure by design.

Storing copies of your source code locally on countless unsecured devices and networks is a bad practice. At the same time, it has become a reality for many organisations to enable their employees to work remotely with BYOD policies.

With Gitpod, your source code is safely stored in the cloud and never stored locally. Either on the carbon-neutral Google Cloud Platform with our SaaS solution or on your own cloud infrastructure with Gitpod Self-Hosted. Our native integrations with GitHub, GitLab and Bitbucket create a single access point to your intellectual property, no matter where your developers are and what device they use for it.

No packages or dependencies are downloaded to users' devices. Gitpod developer environments run in the cloud and are short-lived, protecting your local machines and other corporate resources from malicious attacks through the execution of arbitrary code.

Industry leading security program

Compliance

Compliance

Gitpod is a European company committed to developer and data privacy. We provide our users with the ability to access and control the information that we collect about them.

Gitpod is built with security in mind and we continuously invest in security best practices. We are currently in the process of becoming SOC 2 compliant and you can request a copy of our SOC2 audit report as soon as it's available.

Environment Isolation

Environment Isolation

Each Gitpod workspace or prebuild runs on a secured single-use container providing fast startup times without compromising on security

We create separate user, PID, mount and network namespaces for each Gitpod workspace, and establish an unprivileged node user as root within that user namespace. More details on the technical approach can be found in this talk from our Head of Engineering as well as in this blog post from the container security experts at Kinvolk who stress-tested our namespace layering implementation.

Open source

Open source

Built-in the open, our source code and how Gitpod is developed are publicly available for review by everyone. Our security posture, disclosure policy and speed in vulnerability handling is highlighted in the following blog post from the security research team at GitLab.

In addition to this, we acknowledge the importance of giving back to the community and have taken steps to support the software supply chain of Gitpod and our customers through the creation of a monetary fund for supporting open-source maintainers.

Authentication and Authorization

Authentication and Authorization

Gitpod uses your Git provider's SSO and, by default, all workspaces connections are private and authenticated, making them accessible only by the creator.

Prebuild logs are readable by all members of the corresponding team and no one else.

Encryption

Encryption

All data, including workspace backups and environment variables, is encrypted at rest using AES256; and all connections to the Gitpod app, website, workspaces and workspaces' endpoints are encrypted in transit (TLS).

Thanks

Big thanks to the following people who responsibly disclosed their security findings.

View contributors

Security Vulnerability Disclosure Policy

We welcome feedback from security researchers and the general public to help improve our security.

View report process

Report security concerns

We welcome close collaboration with the worldwide security research community.

Report security concern