Security FAQs

How is Lift deployed?

Lift software is delivered as a service. It integrates with your source repository to automatically run at each pull request.

How does Lift work?

Upon each pull request (which Lift monitors via the repo host), Lift clones your repo and runs its analyzers over the code, delivering results as code comments within the repo's code review tool. Upon completion of the analysis of private repositories, Lift will delete its copy of your repository.

What’s the high-level architecture?

Lift is a container-based platform on Linux running on Amazon Web Services (AWS). The cloud platform integrates directly with repository hosts like Github and requires no installation of code into your environment.

How does Lift handle our source code and other confidential information?

Lift recognizes the value of its customers' source code and the importance of maintaining confidentiality. Lift retains its customers' data only to the extent required to deliver its service and for only as long as required to do so. Lift treats its customers' source code and related information as highly confidential, and cares for it with the same degree of care we use to preserve our own confidentiality. Lift encrypts its data at rest using industry standard encryption and for data in transit, Lift relies upon TLS and shared secrets with GitHub/GitLab/Bitbucket to encrypt source code and other data transmitted to/from Lift. Lift further separates its customers' data by providing a dedicated single-tenant AWS node for the duration of each analysis. For Lift on-premise deployments, neither your source code nor our analysis results leave the Lift server.

Does Lift process "Personal Data" as defined by GDPR and similar privacy laws?

Lift captures Personal Data solely of its own end-users, i.e. those individual developers with Lift accounts. Specifically, we capture name, email address and other information received from Github through our SSO integration. We retain and use such data only as long as necessary and in compliance with law.

How do you handle authentication and otherwise manage user accounts?

Lift uses authentication either via Sonatype or 3rd party single-sign on (SSO) providers like Github so customers can use their existing accounts on those platforms to log into Lift. User accounts in the Lift platform are associated with those credentials and Lift does not have any accounts of its own.

Why does Lift ask for these permissions on GitHub?

Lift performs a variety of operations depending on what tools it uses to analyze your code.  The permissions requested are:

  • GitHub's text: "User permissions" and "Installing and authorizing sonatype-lift immediately grants these permissions on your account: <name>.Read access to emails"

    • Reason: to know who you are when you log into the console at https://lift.sonatype.com and to provide email communications regarding the Lift service.
  • GitHub's text: "Read access to members, metadata, organization administration, organization plan, and organization projects"
    • Members: to help grant access to users who visit the console
    • Metadata: For learning default branches and other basic information
    • Organization administration: For allowing administrators to control seat provisioning
    • Organization plan: Unused
    • Organization projects: Unused
  • GitHub's text: "Read and write access to checks, code, commit statuses, issues, pull requests, and security events"
    • Checks: This is a status API allowing CI jobs to report their current status.
    • Code: Read access is needed to scan your code. Write access is used by some tools to (optionally) create new branches and open associated pull requests in order to automatically suggest fixes for code quality and security issues.
    • Commit statuses: This is an API that allows apps like Lift to report the status of an analysis job associated with a pull request.
    • Issues: Allows the app to (optionally) open new GitHub issues as a means of recording and tracking code quality and security issues.
    • Pull requests: Allows the app to (optionally) open new pull requests to automatically suggest fixes for code quality and security issues.
    • Security events: Lift integrates with GitHub's code scanning dashboard and can upload issues directly to the GitHub code scanning system.