We check every build for problems.
Every build is scanned for known security holes and leaked secrets. We ship a slimmed-down, safer image where we can, and we never keep your source code. Here's what runs today and what's next.
Security checks at every stage, not just at the end
What ships today
Five checks run on every successful build. We also ship a slimmed-down, safer production image where your framework supports it.
Vulnerability scan
Every build is scanned for known security holes, in both the system packages and the libraries you depend on. Results show up on the project's Security tab. You can block a deploy when something serious turns up.
Contents list
We produce a full list of what's inside every build. That covers every library it pulls in, their versions, and their licences. You can download it from the deployment detail page.
Secrets scan
We check your code for leaked secrets before the build workspace is deleted. If we find one, the deploy is blocked and it shows up on the Security tab. We never ship an image with a leaked token in it.
Outdated-base check
Every build checks whether your language version is still supported. An old Node 18 app gets flagged as out of date, and a Java 22 app gets flagged as urgent. You see it on the project security pill, so you know before an auditor does.
Slim production images
We strip production down to the basics, with no package manager and no shell in the running app. That gives an attacker less to work with, and the scan results reflect what actually ships. We're adding this to more frameworks over time.
Signed images with SLSA-style provenance attestation, policy-as-code gates per environment, and full audit log export. We'll mark each one live as it ships.
Compliance posture
We haven't completed third-party audits yet - we're building the controls that get us there.
- • TLS 1.3 in transit
- • Encrypted secrets at rest (Azure Key Vault)
- • Tenant environment isolation (network + resource boundaries)
- • A contents list, a vulnerability scan, and a secrets scan on every build
- • Slim production images, where your framework supports it
- • Read-only GitHub access
- • Source code never persisted past the build
- • SOC 2 Type I audit (planned, no auditor engaged yet)
- • Full audit log persistence (in progress)
- • Customer-managed encryption keys (CMK)
- • HIPAA BAA process (Enterprise, when there's demand)
- • Penetration test on the platform (planned)
Need a specific compliance posture for a procurement review? Email security@vibsl.com and we'll send you what we have today.
Security Questions?
Contact our security team for documentation or specific requirements.