Ubicloud is committed to keeping customer data safe and secure. You can read more about our security practices in the general security page. This page reiterates some of those practices and shares more information that's relevant in the context of our GitHub Actions integration.

Network / Infrastructure Security

We use established best practices to provide cloud security. In summary, these include:

  • For our managed service, we review and select hosting providers based on their physical and digital security practices.

  • Elastic Compute: We use Linux KVM for full virtualization, a trusted VM technology used by millions of developers worldwide. Further, we use the Cloud Hypervisor as our virtual machine monitor (VMM); and contain each VMM within Linux namespaces for additional isolation and security.

  • Virtual Networking: We use IPsec tunneling to establish an encrypted and private network environment; and regularly rotate encryption keys. For security, each customer's VMs operate in their own networking namespace.

  • Firewall Settings: When running your GitHub workflows, we allow connections initiated by the virtual machine (VM) and any return traffic. However, we drop packets from the internet that attempt to establish new connections to the VM.

Software Security

Ubicloud cloud services are available under the Elastic V2 License. We follow an open development model and our source code is available for review in GitHub:

If you discover any security issues when reviewing Ubicloud services or integrations, please report them using the process described in our general security page.

Additionally, we follow standard security best practices to receive vulnerability alerts. These include:

  • Code scanning alerts through industry-leading semantic code analysis engine CodeQL
  • Security issue alerts through language specific static code analysis engine Ruby Brakeman
  • Secret scanning alerts
  • Dependabot alerts to receive notifications when one of our dependencies has a vulnerability

Clean and Ephemeral VM for Each Job

Ubicloud uses VMs to securely isolate your data from other users. For each new CI/CD job, we also provide you with a clean and ephemeral VM. Upon the job's completion, we decommission the VM and delete the block storage device associated with the VM.

This ensures that there is no way to persistently compromise the GitHub Actions environment or otherwise gain access to more information than was placed in this environment during the bootstrap process.

Using Just-In-Time Runners

Ubicloud follows GitHub's recommendation of using just-in-time (JIT) runner APIs to improve runner registration security. We use GitHub's REST API to create and receive a JIT config file from GitHub and pass on this file to the Ubicloud runner at start-up. We don't store this JIT config file in any way.

This ensures that we create ephemeral, JIT runners. These runners perform at most one job before being automatically removed from the repository

Log Retention

We retain metadata logs containing information about CI/CD jobs, including the initiator, start time, duration, and selected hardware. With this metadata, we can maintain an audit log and analyze security incidents, if there are any, in more detail.