Security at Gitpod

Gitpod is trusted by over 750k developers and companies that are moving their dev environments to the cloud.

View security program

Trusted by developer led companies

Secure

Secure by design.

Storing copies of your source code locally on countless unsecured devices and networks is a bad practice. At the same time, it has become a reality for many organisations to enable their employees to work remotely with BYOD policies.

With Gitpod, your source code is safely stored in the cloud and never stored locally. Either on the carbon-neutral Google Cloud Platform with our SaaS solution or on your own cloud infrastructure with Gitpod Self-Hosted. Our native integrations with GitHub, GitLab and Bitbucket create a single access point to your intellectual property, no matter where your developers are and what device they use for it.

No packages or dependencies are downloaded to users' devices. Gitpod developer environments run in the cloud and are short-lived, protecting your local machines and other corporate resources from malicious attacks through the execution of arbitrary code.

Transparency is key

Have a look at the latest security findings and updates
View security log

Industry leading security program

Compliance

Compliance

Gitpod maintains compliance with the European General Data Protection Regulation (GDPR) and provides users with the ability to access and control the information that is collected about them. To clients we provide a Data Processing Agreement (DPA) incorporating the Standard Contractual Clauses (SCC) for International Data Transfers.

Gitpod is built with security in mind. We continuously invest in security best practices and conduct annual SOC 2 Type II audits to assess the appropriateness of our controls. You can request a copy of our report inside our public Trust Center (NDA required).

Chat

Environment Isolation

Each Gitpod workspace or prebuild runs on a secured single-use container providing fast startup times without compromising on security

We create separate user, PID, mount and network namespaces for each Gitpod workspace, and establish an unprivileged node user as root within that user namespace. More details on the technical approach can be found in this talk from our Head of Engineering as well as in this blog post from the container security experts at Kinvolk who stress-tested our namespace layering implementation.

Open source

Open source

Built-in the open, our source code and how Gitpod is developed are publicly available for review by everyone. Our security posture, disclosure policy and speed in vulnerability handling is highlighted in the following blog post from the security research team at GitLab.

In addition to this, we acknowledge the importance of giving back to the community and have taken steps to support the software supply chain of Gitpod and our customers through the creation of a monetary fund for supporting open-source maintainers.

Authentication and Authorization

Authentication and Authorization

Gitpod uses your Git provider's SSO and, by default, all workspaces connections are private and authenticated, making them accessible only by the creator.

Prebuild logs are readable by all members of the corresponding team and no one else.

Encryption

Encryption

All data, including workspace backups and environment variables, is encrypted at rest using AES256; and all connections to the Gitpod app, website, workspaces and workspaces' endpoints are encrypted in transit (TLS).

Provenance

Provenance

Gitpod generates SLSA level 1 compliant provenance. Starting with this level, build systems are required to keep a record of their involvement, which sources went into the build process, and which process was used. All this data is recorded using in-toto attestations and published alongside the actual build artifacts.

Thanks

Big thanks to the following people who responsibly disclosed their security findings.

View contributors

Security Vulnerability Disclosure Policy

We welcome feedback from security researchers and the general public to help improve our security.

View report process

View our Security Self-Assessment

You can find our CAIQ self-asssessment inside the Cloud Security Alliance STAR Registry. A framework dedicated to providing an industry-accepted way of transperency around cloud security controls.

View our Self-Assessment

Report security concerns

We welcome close collaboration with the worldwide security research community.

Report security concern