Coveralls Enterprise operates on your infrastructure, which means it is governed by your existing information security controls: from firewalls and VPNs, to IAM and monitoring systems. This on-premises solution can help you avoid the regulatory compliance issues that arise when you use cloud-based solutions. Below is an overview of the security features built into the appliance, along with information about Coveralls's development practices for application security.
Coveralls Enterprise provides a Linux user administration account and two types of application users.
Organizations, created on your locally installed GitHub Enterprise instance, are a core concept in Coveralls Enterprise. Membership to and organization on GitHub enterprise grants a user on Coveralls access to all of that organization's repositories.
Coveralls Enterprise provides four primary authentication methods.
Coveralls Enterprise is designed to run behind your corporate firewall. To secure communications over the wire, we encourage you to run Coveralls Enterprise over SSL. An administrator can add 2048-bit or higher commercial SSL certificates for HTTPS traffic.
Having an accurate record of all user and system activity is a core requirement for many customers. Coveralls Enterprise has detailed audit records, accessible to the site administrators, that capture relevant security information. The system also provides traditional operating system and application access logs.
While not an exhaustive list, the following are some examples of the audit and logging information available:
Audit logs are permanently stored on the system, and both types of logs can be exported from the system in real-time using the standard syslog protocol. This enables you to integrate this data with remote systems, such as an IDS/IPS, for analysis and notification.
Coveralls Enterprise is built on the Ubuntu Linux operating system, with all unnecessary services and applications removed. Only network services necessary for the appliance to function are exposed to the network. Internal system services, like the database, are configured to listen on the local `loopback` address.
Coveralls's application security team focuses full-time on vulnerability assessment, penetration testing, and code review for Coveralls products. Coveralls also contracts with outside security firms to provide point-in-time security assessments of Coveralls products on a quarterly basis.
Patching of the core operating system, and running services to address security concerns, is managed by Coveralls as part of its standard product release cycle. This includes patches for functionality, stability, and non-critical security issues for Coveralls applications. Critical security patches are provided as needed outside of the regular release cycle, to improve time to resolution and also limit changes to the system.
Security-only patches are announced on our Enterprise customer portal, and also with email notifications.
By design, Coveralls Enterprise is able to operate without any egress access from your network to outside services. The system administrator can optionally enable the integration of external services including SMTP, Syslog, and Gravatar.
The system does not attempt to communicate with Coveralls's own servers; however, your system administrator can collect data helpful for troubleshooting any issues, and manually deliver that data to the Coveralls Enterprise Support Team.