| title | Security |
|---|---|
| description | How Sonarly protects your code and data |
| icon | shield-halved |
Sonarly is SOC 2 Type 2 in progress. Security is built into every layer of the platform.
- Sandboxed execution — All code analysis runs in isolated containers. Each tenant gets a dedicated sandbox.
- No persistent storage — Sandboxes have a 24-hour TTL. Your source code is never stored permanently.
- Credentials stay server-side when possible — Datadog, Grafana, SigNoz, and GCP credentials stay on the Sonarly backend (queries go through a server-side proxy). AWS and Vercel use temporary/scoped credentials written to isolated sandboxes.
- Tokens encrypted at rest — All OAuth tokens and API keys are encrypted using Fernet (AES-128-CBC with HMAC-SHA256)
- TLS in transit — All API communication uses HTTPS
- JWT authentication — 15-minute access tokens + 30-day HTTP-only refresh cookies
Sonarly follows the principle of least privilege:
| Integration | Auth method | Access level |
|---|---|---|
| Sentry | OAuth | Read-only: org:read, project:read, event:read, member:read |
| GitHub | GitHub App | Contents read/write, Pull requests write, Metadata read (scoped to selected repos) |
| GitLab | OAuth (api scope) |
Read/write repo access (scoped to selected repos) |
| Slack | OAuth | 8 bot scopes: chat:write, channels:read, groups:read, channels:history, groups:history, channels:join, users:read, users:read.email |
| Datadog | API Key + App Key | Read access to logs, monitors, traces, metrics, events, SLOs, RUM |
| Grafana | Service account token | Viewer + Data sources: Explorer roles (read-only query access) |
| GCP | Service account JSON key | Read-only: logging.read, monitoring.read, trace.readonly scopes |
| SigNoz | API key | Read access (Admin recommended for auto-webhook setup) |
| Mezmo | Service Key | Read-only log export access |
| AWS | IAM Role (cross-account AssumeRole) | Read-only: 7 AWS managed policies (CloudWatch, CloudTrail, EC2, ECS, Lambda, RDS, ELB) + health:Describe* |
| Vercel | API Token | Read-only CLI access to projects, deployments, logs |
All webhook endpoints verify signatures to prevent spoofing:
| Platform | Method |
|---|---|
| Sentry | HMAC-SHA256 with client secret |
| Datadog | HMAC-SHA256 (DD-WEBHOOK-SIGNATURE) |
| Grafana | Bearer token |
| SigNoz | Basic Auth |
| Mezmo | Webhook URL token |
All signature comparisons use constant-time algorithms to prevent timing attacks.
Every database query is scoped to the authenticated tenant. Cross-tenant data access is impossible by design. Sessions are limited to 5 per user with automatic rotation.
- Imported errors and incidents are retained for the life of your account
- Sandbox environments are cleaned up after 24 hours
- You can request full data deletion at any time by contacting support