Security First

Security at DevLens

We handle your code with the same care we'd want for our own. Here's how we protect your data at every layer.

Your code stays yours

We never store your source code permanently. Diffs are processed in memory and discarded after review.

No model training

Your code is never used to train or fine-tune AI models. Review data is processed, not learned from.

Self-host everything

Deploy DevLens on your own infrastructure. Your code never leaves your network.

Security Practices

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest for database and backups
  • API keys are hashed with bcrypt before storage
  • Secrets managed via environment variables, never in code

Authentication & Access

  • GitHub OAuth 2.0 + OIDC/SAML SSO for user authentication
  • Session-based auth (Redis-backed cookies) + scoped API keys
  • CSRF protection on all OAuth flows (state tokens stored in Redis)
  • Role-based access control (Owner, Admin, Member, Viewer)
  • Rate limiting on all abuse-prone endpoints (Redis-backed)

Code Data Handling

  • Code diffs are processed transiently in memory
  • No permanent storage of source code (unless opt-in)
  • Self-hosted option keeps all data in your infrastructure
  • We do not use your code to train AI models

Infrastructure

  • Multi-stage Docker builds with non-root containers
  • Health checks on all services (backend, worker, frontend)
  • PostgreSQL with connection encryption and parameterized queries
  • Redis with password authentication for sessions, rate limits, and caching
  • HSTS headers enforced in production (max-age=63072000)

Application Security

  • Security headers on all responses (HSTS, CSP, X-Frame-Options, Referrer-Policy)
  • GitHub webhook signature verification (HMAC-SHA256)
  • Pydantic validation on all API inputs with strict schemas
  • Automated dependency audits in CI (pip-audit + npm audit)
  • Dependabot configured for all ecosystems (pip, npm, Docker, GitHub Actions)

Monitoring & Response

  • Prometheus metrics and Grafana dashboards for real-time monitoring
  • React Error Boundary for graceful frontend crash recovery
  • Global API request timeouts (30s) and automatic 401 session handling
  • Audit logging for all organization events
  • Structured logging with correlation IDs for incident investigation

Responsible Disclosure

Found a security vulnerability? We appreciate your help in keeping DevLens safe. Please report vulnerabilities responsibly — we commit to acknowledging reports within 24 hours and providing updates within 72 hours.

Report a vulnerability

Email: info@devlens.xyz