DocumentationSoftware AuditRepository Connection & Security

Repository Connection & Security

How CodeDD securely connects to your Git repositories

Repository Connection & Security

CodeDD connects to repositories through industry-standard authentication. Cloud audits clone to ephemeral processing environments; the CLI offers a local-first alternative where source never leaves your infrastructure.

Supported Git providers

OAuth-integrated (recommended in the web UI):

  • GitHub (github.com and GitHub Enterprise)
  • GitLab (gitlab.com and self-hosted)
  • Azure DevOps
  • Bitbucket

Additional HTTPS hosts may be accepted when the URL matches CodeDD's validated hosting allowlist (e.g. Codeberg, Gitee). Arbitrary self-hosted URLs not on the allowlist are rejected at validation.

CLI local scope: any Git repository root on your machine — no cloud clone required.

Authentication methods

OAuth (recommended)

For GitHub, GitLab, Azure DevOps, and Bitbucket:

  1. Click Connect in the repository import flow
  2. Authorize CodeDD with read-only repository access
  3. Tokens are stored encrypted and refreshed per provider rules

Personal access tokens (PAT)

Use when OAuth is unavailable or for automation. Scope to minimum read permissions:

  • GitHubrepo (read)
  • GitLabread_repository
  • Azure DevOps — Code (Read)
  • Bitbucket — repository read

SSH keys

Supported as a last resort when OAuth and PAT are unavailable. ED25519 (preferred) and RSA keys are stored encrypted. CodeDD does not silently fall back to SSH when PAT fails — you get an explicit error instead.

Connection order

  1. OAuth token (if previously authorized)
  2. PAT (if provided)
  3. Public HTTPS (public repos only)
  4. SSH (only when configured)

If PAT authentication fails, CodeDD does not silently fall back to SSH. You receive an explicit error and can choose to configure SSH separately.

Clone to Ephemeral Environment

Once authenticated:

  • Repository cloned to an isolated processing environment
  • Environment exists only for the audit duration
  • Files encrypted at rest during processing (Fernet)
  • Environment destroyed and source securely wiped on completion

Security Measures

Credential Protection

  • Credentials encrypted at rest (Fernet) in secure storage
  • Never logged or exposed in error messages
  • Masked in all system outputs
  • Revocable at any time from your Git provider

Credentials are not rotated automatically after each use — you control token lifecycle via your provider or by revoking CLI tokens in Account → CLI Access.

Repository Isolation

  • Ephemeral processing environments per audit
  • Restricted network egress (required services only — LLM APIs, vulnerability DBs)
  • Files encrypted immediately in the audit cache
  • Sensitive data cleared from memory after use

Audit Trail

  • Repository access timestamps logged
  • Authentication success/failure recorded (not credential values)
  • Source code never written to application logs

What Happens After Connection

During audit:

  • One-time clone (cloud) or local scope registration (CLI)
  • Read-only — no push access, no ongoing polling

After audit:

  • Clone deleted via secure wipe
  • Processing environment destroyed
  • Only findings and metadata retained

Security measures

  • Credentials encrypted at rest, never logged in plaintext
  • Ephemeral processing environments per audit
  • Restricted network egress to required services only
  • Files encrypted in the audit cache immediately after indexing
  • Access timestamps and auth success/failure logged (not credential values)

Credentials are not rotated automatically — you control token lifecycle via your Git provider or by revoking CLI tokens in Account → CLI Access.

Common scenarios

Private repositories — OAuth or read-only PAT; revoke after audit if desired.

Portfolio / group audits — organization-level OAuth or PAT; each repository processed in isolation; results aggregated at portfolio level.

Enterprise / air-gapped — use the CLI to run analysis locally and sync only structured results.

Best practices

For investors & advisors: request read-only OAuth or PAT; use time-limited service accounts; prefer CLI for highly sensitive source.

For portfolio companies: dedicated audit service accounts; read-only scope; revoke tokens after due diligence.

Next steps