Security overview
We treat your code
access with seriousness.
Buildpathio reads manifest files from your repos. Here's exactly what that means, what permissions we request, and how we protect that access.
Access model
Minimum required permissions.
Buildpathio requests read-only access to your repositories. We specifically read manifest files (OpenAPI, proto, AsyncAPI, package manifests). We do not read source code, secrets, CI/CD configurations, or any files outside the manifest directories you configure.
Read-only repository access
The GitHub and GitLab apps request contents:read and pull_requests:read only. No write permissions. No admin scopes. If you grant access and revoke it, Buildpathio's access ends immediately.
Manifest-only parsing
We only read files in paths you register as manifest sources (e.g., api/, proto/). Source code, test files, configuration secrets, and infrastructure definitions are never accessed.
API keys are scoped
REST API keys are scoped per organization and can be restricted to specific endpoints (read-graph only, no write). Keys are hashed at rest and displayed only once at creation. Rotate them at any time in your organization settings.
Data encryption
All data in transit is encrypted via TLS 1.3. Dependency graph data is encrypted at rest. We store your graph data in AWS us-east-1 only. We do not operate in any jurisdiction outside the United States.
Vulnerability disclosure
Found a security issue?
If you discover a security vulnerability, please report it to [email protected] before publishing publicly. We aim to acknowledge all security reports within 24 hours and resolve confirmed vulnerabilities within 7 days. We do not operate a formal bug bounty program at this time, but we recognize all researchers who responsibly disclose.