Security

Scans on every build. Source code on no servers.

Here's what we ship today and what's on the way. We're in beta, so the audit certifications come later.

Code
Build
Scan
Deploy
Monitor

Security checks at every stage, not just at the end

What ships today

Four checks run on every successful build. The artifacts they produce are stored in your project so you can audit them.

CVE scan

Every built image is scanned for known CVEs across OS packages and your dependencies. Results land on the project's Security tab; you can block deploys on critical or high severity.

SBOM

An industry-standard software bill of materials is generated per build — direct and transitive dependencies, package versions, licences. Downloadable from the deployment detail page.

Secrets scan

The cloned source is checked for committed secrets before the build container is destroyed. Matches block the deploy and surface on the Security tab; we never push an image containing a leaked token.

Runtime EOL check

Every build resolves your runtime against a maintained end-of-life database — a Node 18 app gets flagged as past-EOL, a Java 22 app gets flagged as critical. Surfaces on the project security pill so you know before the auditor does.

Roadmap Coming, not shipping yet

Signed images with provenance attestation, policy-as-code gates per environment, runtime anomaly detection. We'll move them into the "ships today" list once they're wired, not before.

Compliance posture

We're in beta. We haven't completed third-party audits yet — we're building the controls that get us there.

Today Controls in place
  • • TLS 1.3 in transit
  • • Encrypted secrets at rest (Azure Key Vault)
  • • Multi-tenant namespace isolation
  • • Per-build SBOM, CVE scan, secrets scan
  • • Read-only GitHub access
  • • Source code never persisted past the build
Roadmap On the path to
  • • SOC 2 Type I audit (planned, no auditor engaged yet)
  • • Full audit log to ClickHouse (in progress)
  • • Customer-managed encryption keys (CMK)
  • • HIPAA BAA process (Enterprise, when there's demand)
  • • Penetration test on the platform (planned)

Need a specific compliance posture for a procurement review? Email security@vibsl.com and we'll send you what we have today.

Security Questions?

Contact our security team for documentation or specific requirements.

Contact Security Team