Cortex takes security very seriously. The following is information about the data we store, how/what we access from third parties, and more.
Cortex stores the metadata about your services on our servers in order to power features like the service catalog, slack notifications, and more. This includes:
- Reference IDs to third party data (Pagerduty rotation ID, Okta group ID, etc)
- Ownership information (users/owners)
If you use Cortex's breaking API change detection feature, we additionally store the API schema uploaded to cortex (OpenAPI, GraphQL, etc).
Third Party Integrations
We request read-only API keys for all services you integrate with. These API keys are encrypted at rest.
The GitHub app requires the following permissions:
- Read/Write on Checks - used to check for
backwards incompatible changes (when enabled) and to check validity of the
- Read on Contents - used only to fetch commit history metadata (author, timestamp, message, SHA). We never use this permission to access contents of files; unfortunately GitHub does not provide apps with a granular permission to view solely commit history.
- Read on Metadata - this is a default permission that is mandatory for all GitHub apps. We use this to get basic details about the repo (name, description, etc).
- Read/Write on Pull Requests - this permission is
needed for the backwards incompatibility checks and linting of the
cortex.yamlfile. The GitHub app comments on PRs with errors for both cases. This permission does not give us the ability to modify or commit code to the PR.
- Read/Write on Commit Statuses - after checking for
backwards incompatibility checks or linting the
cortex.yamlfile, we update the status of the commit with a pass/fail.