Security Policy

Understanding the security measures and practices at Hypermod.


At Hypermod, ensuring the security and integrity of your code is paramount. This policy outlines the measures we take to protect your data, as well as the responsibilities of our users to maintain a secure environment.

Glossary

  • Transformations: Automated code modifications made to a codebase. These can include anything from syntax changes and code refactoring to updating dependencies.
  • Scanners: Special types of transformations designed to analyze code for specific characteristics or patterns, such as counting occurrences of certain elements, rather than altering the code.
  • GitHub Actions: Automated tasks configured within a GitHub repository. Actions can be used to automate workflows for software development processes, such as CI/CD, testing, or code transformations.
  • GitHub Workflows: Configurations that use GitHub Actions to automate sequences of tasks (or "jobs") based on certain GitHub events, like a push or a pull request.

Security Measures

Code Transformation and Scanning

Hypermod facilitates code transformations and scanning through the use of GitHub Workflows & Actions. This method ensures that:

  • The contents of repositories are not downloaded or transferred to process transformations. Instead, transformations are executed locally within your repository, leveraging GitHub's infrastructure.
  • Scanners operate under the same principle, analyzing code locally without the need for external data transfer.

This architecture significantly mitigates the risk of unauthorized access to your source code by ensuring that operations are contained within your GitHub environment.

Workflow and Action Security

To further secure your code:

  • Hypermod dispatches requests to the workflows you have set up in your repositories. These workflows then utilize GitHub Actions to download and execute the necessary transformations or scans.
  • Our open-source CLI is designed to facilitate these operations securely, ensuring that your code remains within your control.

Source Code Access

While Hypermod does not download your source code for transformations or scans, it requires access to source files for the editor experience to:

  • Preview transformations
  • Ensure that the proposed changes meet your expectations before they are applied. This access is strictly limited to preview purposes and is safeguarded by GitHub's permission model and Hypermod's security protocols.

User Responsibilities

Trusted Transforms

  • Users should only use transforms and scanners from trusted authors to minimize the risk of executing malicious code within their repositories.
  • Review the source and the reputation of the transformation or scanner before integration into your workflows.

Monitoring and Auditing

  • Regularly monitor the execution of workflows and actions within your repositories for any unusual activity.
  • Audit the permissions granted to GitHub Actions and third-party applications to ensure they align with the principle of least privilege.

Risks

Despite our rigorous security measures, no system is entirely immune to risks. Users should be aware that: Using transformations with malicious code can potentially grant unauthorized access to source files. Hypermod encourages vigilance in selecting and reviewing all third-party code.

Conclusion

Hypermod is committed to providing a secure platform for code transformations and scanning, utilizing GitHub's infrastructure to enhance security. Users play a crucial role in maintaining this security by selecting trusted transformations and regularly monitoring their repository activities.

For any security concerns or questions, please contact our security team at support@hypermod.com.