Zero-data retention
CodeRabbit communicates with LLM providers to generate code reviews. We send code diffs along with contextual data about the code to improve code reviews and provide better suggestions. The data is encrypted in transit using transport layer security (TLS). Proprietary code is never used to train or improve the models in any way. Queries to the LLMs are ephemeral, and no data is stored or logged by the LLMs.
Complete data isolation
Upon starting a new review, CodeRabbit starts in an isolated environment. Upon finishing the review and finally posting the review comments, CodeRabbit disposes of the environment and no traces of the code are stored on CodeRabbit’s servers. This flow ensures that no parts of the codebase are available outside of the scope and duration of the code review.
Audits and Certifications
CodeRabbit is SOC 2 Type II certified, with a new report released annually. The report describes CodeRabbit's security controls and examines how those controls meet the AICPA Trust Service Principles. It provides an independent assessment of how well CodeRabbit manages data with respect to security, availability, and confidentiality.
How does CodeRabbit help in secure development?
As code reviews are generated and before posting them on a PR, CodeRabbit verifies that no insecure coding patterns exist. This helps in making the code suggestions more secure.
The system uses LLMs to detect vulnerable patterns in code changes. This means that insecure patterns can be quickly detected and replacements can be suggested as part of the code review.
One of the best ways to secure your codebase is by using code scanning, secret scanning and vulnerability detection tools. CodeRabbit runs a suite of tools to detect common bad practices, infrastructure-as-code security vulnerabilities, hardcoded keys/credentials, SQL injection, and many more security patterns as part of the code review to help in secure development.
Our Privacy Policy
CodeRabbit ensures transparency regarding all privacy-related policies and agreements. Our privacy policy details our handling of personal data, usage practices, and your rights concerning your data. Additionally, our list of subprocessors outlines all third parties involved in our service delivery that may process some data, including the reasons for their involvement, locations, and the services they provide.
Does CodeRabbit collect and process data?
CodeRabbit collects and processes data for various purposes on supported git platforms. Data about usage and metrics is also collected when a review is posted. Following broad categories of data is collected and processed by CodeRabbit at various stages:
Metadata
This includes information about the subscribing organization, added repositories, and users.
Code
CodeRabbit clones the repository in memory to perform the code review and run static analysis and security analysis tools. This data is discarded from memory immediately after the code review is done.
Metrics
CodeRabbit collects metrics about reviews and learnings generated, types of reviews generated (actionable, suppressed, refactor, verification, etc.), files reviewed.
Learnings
If opted-in, CodeRabbit stores learnings from code reviews. These can be either triggered automatically or by explicitly chatting with CodeRabbit to learn something for the next time it reviews your code.
Issues
If opted-in, CodeRabbit stores issues from connected knowledge bases like GitHub Issues, Jira, or Linear. This is useful in summarizing linked issues and suggesting possibly related issues in a PR.