SECURITY

Security Model

How Code Corgi is designed, what data we handle, and how to report vulnerabilities.

Architecture security

Code Corgi is built with a security-first architecture from the ground up. Key design decisions:

  • No secrets in environment variables. All credentials and API tokens are fetched at runtime from HashiCorp Vault via agent sidecar injection. No secret ever touches an environment variable or a Kubernetes ConfigMap.
  • Append-only audit log. The audit_events PostgreSQL table uses an INSERT-only database role. No application code path can update or delete audit records. Tampering with the audit trail requires direct database superuser access, which is monitored and alerted.
  • Webhook verification. All incoming webhook payloads are verified using HMAC-SHA256 signatures before processing. Requests that fail verification are rejected with HTTP 401 before any payload parsing occurs.
  • No persistent storage of code. Diff payloads are processed in memory and written to object storage only for the duration of the scan job. Diffs are deleted from object storage after 90 days (configurable per organisation).
  • Network isolation. All inter-service communication runs over NATS JetStream on an internal network. No service exposes an HTTP port to the cluster network except the API gateway. All external traffic terminates at the gateway with TLS.

Data handling

What we process

Code Corgi processes pull request diff payloads — the changed lines of code in each pull request. We do not process your entire repository, only the lines changed in a given PR.

What we store

  • Diff payloads: stored in object storage (MinIO / S3-compatible), encrypted at rest, deleted after 90 days
  • Scan findings: stored in PostgreSQL, retained for the duration of your subscription
  • Audit events: append-only log of all scan jobs, findings, and policy changes
  • Webhook metadata: repository name, PR number, commit SHA — no code content

What we never store

  • Your full repository contents
  • Git history beyond the current PR diff
  • Developer credentials or authentication tokens
  • Personal data beyond the email address used to register

Data residency

Enterprise customers can specify a data residency region at account creation. Object storage and database instances are provisioned in that region. Available regions: US (default), EU, APAC.

Responsible disclosure

We take security vulnerabilities seriously. If you discover a vulnerability in Code Corgi, please report it responsibly:

  • Email: security@phantomcorgi.com
  • Response time: We will acknowledge your report within 48 hours
  • Disclosure window: We ask for 90 days to remediate before public disclosure
  • Scope: The Code Corgi API, web application, detection pipeline, and Helm chart

Please do not use automated scanners against production infrastructure. We maintain a staging environment available for security researchers — contact us for access.

Penetration testing

Enterprise customers may conduct penetration tests against their own Code Corgi deployment. Please notify us at security@phantomcorgi.com before beginning testing so we can distinguish your activity from genuine threats.

Compliance

Code Corgi is designed to support SOC2 Type II compliance for our customers. Key controls:

  • Append-only audit trail for all scan events and policy changes
  • Role-based access control with the principle of least privilege
  • Encrypted data at rest and in transit
  • Configurable data retention policies
  • Single sign-on via SAML 2.0 / OIDC (Enterprise tier)
PC

Questions about security?

Our security team responds to all inquiries within 48 hours.

security@phantomcorgi.com →