Skip to content

Security

Cortex takes security very seriously. The following is information about the data we store, how/what we access from third parties, and more.

Storage

Service Details

Cortex stores the metadata about your services on our servers in order to power features like the service catalog, slack notifications, and more. This includes:

  • Reference IDs to third party data (Pagerduty rotation ID, Okta group ID, etc)
  • Ownership information (users/owners)
  • Name/description

API Schemas

If you use Cortex's breaking API change detection feature, we additionally store the API schema uploaded to cortex (OpenAPI, GraphQL, etc).

Third Party Integrations

API Keys

All API keys are encrypted at rest. Details for certain API key permissions follow.

GitHub

The GitHub app requires the following permissions:

  • Read/Write on Checks - used to check for backwards incompatible changes (when enabled) and to check validity of the cortex.yaml file.
  • Read on Contents - used only to fetch commit history metadata (author, timestamp, message, SHA). We never use this permission to access contents of files; unfortunately GitHub does not provide apps with a granular permission to view solely commit history.
  • Read on Metadata - this is a default permission that is mandatory for all GitHub apps. We use this to get basic details about the repo (name, description, etc).
  • Read/Write on Pull Requests - this permission is needed for the backwards incompatibility checks and linting of the cortex.yaml file. The GitHub app comments on PRs with errors for both cases. This permission does not give us the ability to modify or commit code to the PR.
  • Read/Write on Commit Statuses - after checking for backwards incompatibility checks or linting the cortex.yaml file, we update the status of the commit with a pass/fail.

Rollbar

Rollbar integration requires a Rollbar Account Access Token with read and write scope. - Read scope is necessary to view all Rollbar projects in an account. - Write scope is necessary to generate Project Access Tokens for the Rollbar projects that get integrated with Cortex. Each project token has read scope.