Your data is secure with Jit
What data is pulled to Jit’s cloud?
Unlike many of Jit’s competitors, customer code is NEVER cloned or pulled to our cloud. Rather, Jit pulls security vulnerability metadata so customers can login to Jit’s platform to monitor stats like unresolved vulnerabilities in production.
For static scanners
Code analysis runs locally on GitHub Actions or GitLab pipelines. To run these analyses on GitHub, Jit requires a GitHub token, which is secured using the methodologies described below.
For dynamic scanners
For customers using Jit’s Dynamic Application Security (DAST) and Cloud Security Posture Management (CSPM) controls, the analysis runs in our cloud and requires tokens from cloud service providers. Jit adheres to best practices by setting a trust relationship between AWS accounts rather than using API keys. DAST and CSPM analyses do not require pulling code or other sensitive information about the customer’s environment to Jit’s cloud.
How does Jit secure customer data?
Robust product security scanning
As a complete product security platform, all of Jit’s code is scanned with the product we deliver to customers. Our platform is based on the best-of-breed scanners available – determined by thorough research and benchmarking. These controls are automatically triggered with every pull request.
All code is scanned with Static Application Security Testing (SAST), Software Composition Analysis (SCA), secrets detection, and Dockerfile scanning. We also run daily Dynamic Application Security Testing (DAST) scans to surface vulnerabilities in runtime.
Cloud infrastructure is scanned with our IaC security and Cloud Security Posture Management controls. A continuously updated SBOM is constantly referenced to ensure supply chain security and open source license compliance.
Vulnerability management
Unresolved vulnerabilities are continuously monitored and patched in production. Our engineering team pays close attention to lowering their Jit security score, which is based on unresolved vulnerabilities in their services.
Strict access management
Write access to production is limited to three engineering leaders, while the rest of the engineering team has read access for debugging purposes.
Beyond just access to production, Jit implements principles of least privilege to restrict engineer access to the services critical to their day-to-day functions.
For CI/CD pipeline security, Jit uses OpenID Connect (OIDC) instead of tokens to standardize the process for authenticating and authorizing users when they sign in to access digital services.
All Jit employees have a 1Password account to manage and rotate their passwords to help prevent unauthorized access to systems handling sensitive data.
Onboarding and offloading customers is entirely automated as code. Jit leverages SSO in every service we use to lower the risk of orphan users in our systems.
Encryption and secure protocols
In transit, data transmitted between Jit and our customers’ environments is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS).All data is encrypted at rest in MongoDB and AWS DynomoDB.
Which compliance standards does Jit fulfill?
Jit is compliant with SOC2 Type II. We use Drata to continuously monitor employee actions to ensure compliance, while implementing Jit’s security controls to handle all requirements related to product security.
Jit’s is also compliant with GDPR.