Last updated: March 2026

Security

Security is not a feature we bolt on. It is how we build Driftlog from the ground up. This page describes our current security practices. If you find a vulnerability, please report it to security@driftlog.dev.

Infrastructure

Driftlog runs on Vercel's edge network with automatic TLS termination. Our database is hosted on Neon with encryption at rest and in transit. All inter-service communication uses TLS. We do not run any self-managed servers. Infrastructure configuration is version-controlled and reviewed before deployment.

Authentication

Passwords are hashed using bcrypt with a cost factor of 12. OAuth tokens from GitHub are encrypted at rest and scoped to the minimum permissions required. Session tokens are short-lived JWTs with refresh token rotation. All authentication endpoints are rate-limited.

Data isolation

Each organization's data is logically isolated at the database level using row-level scoping. API endpoints enforce organization membership before returning any data. There is no shared state between organizations. Audit logs track every significant action.

Code analysis pipeline

When Driftlog analyzes your code, it clones the repository into an ephemeral container, runs the configured rules, extracts violation metadata, and then destroys the container. Source code is never written to persistent storage. Analysis results contain only file paths, line numbers, rule identifiers, and messages, never code snippets.

Webhook verification

All incoming GitHub webhooks are verified using HMAC-SHA256 signatures before processing. Invalid signatures are rejected and logged. Webhook deliveries are deduplicated to prevent replay attacks.

Dependency management

We use automated dependency scanning to detect known vulnerabilities in our supply chain. Critical vulnerabilities are patched within 48 hours. We pin dependency versions and review all updates before merging.

Responsible disclosure

If you discover a security vulnerability in Driftlog, please email security@driftlog.dev. We will acknowledge your report within 48 hours, investigate promptly, and keep you informed of our progress. We do not pursue legal action against researchers who report vulnerabilities in good faith.