This document is intended to help our visitors' security, risk, compliance, or developer teams evaluate what we do with their code and data.
For security inquiries or vulnerability reports, please email [email protected]!
CheckiePy uses Github OAuth to authenticate your GitHub account and provide GitHub token.
Using OAuth2 means we do not access your GitHub password and that you can revoke our access at any time.
Your GitHub token is needed in order to fetch file content, comments, repo information and update Pull Request status. This token is encrypted and encoded and stored in our Postgres database in Docker container.
When you click the "Connect" button in the CheckiePy interface for one of your GitHub repositories, we send your GitHub token from the web browser's session to our server.
We use your GitHub token to add the @CheckiePyBot GitHub user to your repository via the GitHub collaborator API. @CheckiePy will be added to a team that has access to the enabled repository. If an existing team cannot be found, we'll create a "Services" team with push access to the enabled repository. This is necessary for @CheckiePyBot to see pull requests, make comments, and update pull request statuses.
We also create a webhook on your repository via the GitHub webhook API. This allows us to receive pull request notifications.
CheckiePy loads all the files in the repository and goes through all files that repo contains, filling data about codestyle metrics.
When you open a pull request on your GitHub repo, or push a new commit to the branch for that pull request, CheckiePy receives the payload. This payload doesn't contain any code. It contains metadata about the pull request such as repo, user, and commit.
The payload is stored on server, so we can check codestyle on it in a background job.
Using the information from the payload, it makes a new HTTP request to GitHub's API to get the pull request's patch and file contents.
We inspect codestyle from the repo and pass inspections back up to our bot, which uses the GitHub commenting API to comment about the inspections failed in the pull request.
We can't afford to hire a third party security company to audit CheckiePy, but the codebase is open source. We believe that transparency and this document can help keep CheckiePy as secure as possible.