Skip to content

Security»

At Spacelift, your security while using our service is our first and foremost priority. Here's what we're doing to maintain your trust by keeping Spacelift secure by design.

You can access security reports, compliance information, and controls details in our Trust Center.

Certifications»

Spacelift is SOC2 Type II Certified.

Certification performed by an independent external auditor, who confirms the effectiveness of internal controls in terms of Spacelift Security: Confidentiality, Integrity, Availability, and Privacy of customer data.

Security audits»

Spacelift performs regular security audits using:

  • Automated security tooling.
  • Internal audits by the Spacelift security team.
  • External security firms for audits and penetration testing at least once per year.

Encryption»

All of Spacelift's data is encrypted in transit and at rest. All traffic is handled using secure transport protocols with the exception of intra-VPC traffic between the web server and the load balancer, which is protected by a restrictive AWS security group.

All the data sources (Amazon S3, database, Amazon SNS topics, and Amazon SQS queues) are encrypted at rest using AWS KMS keys with restricted and audited access.

Customer secrets are extra encrypted at rest to keep them safe from all attackers, internal or external.

Security features»

Multi-Factor Authentication (MFA)»

This feature elevates the security of your Identity Provider (IdP) sessions by integrating the use of FIDO2 security keys, managed within Spacelift. MFA provides an additional layer of security for your identity. Designed for seamless integration, MFA can be enforced across all user accounts to maintain consistent security protocols. You can learn more about our MFA feature here.

Single Sign-On (SSO)»

In addition to the default login providers (GitHub, GitLab, Microsoft, and Google), Spacelift supports Single Sign-On (SSO) via SAML or OIDC using your favorite identity provider. Using SSO, Spacelift can be configured in a password-less approach, helping your company follow a zero-trust approach. As long as your Identity Provider supports SAML or OIDC, and passing the email scope, you're good to go! You can learn more about our Single Sign-On support here.

Environment variables»

Spacelift allows for granular control of environment variables on your stacks either by setting environment variables on a per-stack basis, or creating collections of variables as a context. These environment variables can be either plain or secret.

Private worker pools»

Spacelift supports the ability to host the underlying compute resources that are accessing your codebase and executing your deployments, on your own infrastructure as a private worker pool. This grants customers the option of full control over the security of their deployments.

Furthermore, the image used by Spacelift private workers is open source, giving customers full transparency into their private workers.

Access private version control systems»

For customers that use privately hosted version control systems (such as on-premise installations of GitHub Enterprise or other VCS providers), Spacelift provides the ability to access your private VCS securely using VCS agent pools.

A single VCS agent pool is a way for Spacelift to communicate with a single VCS system on your side. You run VCS agents inside of your infrastructure and configure them with your internal VCS system endpoint. They will then connect to a gateway on our backend, and we will be able to access your VCS system through them.

Spacelift VCS agent pools utilize gRPC on HTTP2 for secure, high-performance connectivity.

Policies»

Spacelift policies provide a way to express rules as code to manage your infrastructure-as-code environment. Users can build policies to control Spacelift login permissions, access controls, deployment workflows, and even govern the infrastructure itself to be deployed. Policies are based on the Open Policy Agent project and can be defined using its rule language Rego. You can learn more about policies here.

Responsible disclosure»

If you discover a vulnerability, we would like to know about it so we can address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

I found a vulnerability»

When you find a vulnerability in Spacelift, please:

  • Email your findings to security@spacelift.io.
  • Provide sufficient information to reproduce the problem so we can resolve it as quickly as possible.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading, deleting, or modifying other people's data.
  • Do not reveal the problem to others until it has been resolved.
  • Do not perform attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.

What we promise»

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress towards resolving the problem.
  • In the public information about the reported problem, we will give your name as the discoverer of the problem (unless you desire otherwise).
  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be based on the severity of the leak and the quality of the report.

We strive to resolve all problems as quickly as possible, and we would like you to play an active role in the ultimate publication on the problem after it is resolved.