Security

We check every build for problems.

Every build is scanned for known security holes and leaked secrets. We ship a slimmed-down, safer image where we can, and we never keep your source code. Here's what runs today and what's next.

Code
then
Build
then
Scan
then
Deploy
then
Monitor

Security checks at every stage, not just at the end

What ships today

Five checks run on every successful build. We also ship a slimmed-down, safer production image where your framework supports it.

Vulnerability scan

Every build is scanned for known security holes, in both the system packages and the libraries you depend on. Results show up on the project's Security tab. You can block a deploy when something serious turns up.

Contents list

We produce a full list of what's inside every build. That covers every library it pulls in, their versions, and their licences. You can download it from the deployment detail page.

Secrets scan

We check your code for leaked secrets before the build workspace is deleted. If we find one, the deploy is blocked and it shows up on the Security tab. We never ship an image with a leaked token in it.

Outdated-base check

Every build checks whether your language version is still supported. An old Node 18 app gets flagged as out of date, and a Java 22 app gets flagged as urgent. You see it on the project security pill, so you know before an auditor does.

Slim production images

We strip production down to the basics, with no package manager and no shell in the running app. That gives an attacker less to work with, and the scan results reflect what actually ships. We're adding this to more frameworks over time.

Roadmap Coming next

Signed images with SLSA-style provenance attestation, policy-as-code gates per environment, and full audit log export. We'll mark each one live as it ships.

Compliance posture

We haven't completed third-party audits yet - we're building the controls that get us there.

Today Controls in place
  • • TLS 1.3 in transit
  • • Encrypted secrets at rest (Azure Key Vault)
  • • Tenant environment isolation (network + resource boundaries)
  • • A contents list, a vulnerability scan, and a secrets scan on every build
  • • Slim production images, where your framework supports it
  • • Read-only GitHub access
  • • Source code never persisted past the build
Roadmap On the path to
  • • SOC 2 Type I audit (planned, no auditor engaged yet)
  • • Full audit log persistence (in progress)
  • • Customer-managed encryption keys (CMK)
  • • HIPAA BAA process (Enterprise, when there's demand)
  • • Penetration test on the platform (planned)

Need a specific compliance posture for a procurement review? Email security@vibsl.com and we'll send you what we have today.

Security Questions?

Contact our security team for documentation or specific requirements.