Have a look at our new Handbook: "Transitioning from Monolith to Microservices"!  Discover →

Security at Semaphore

At Semaphore, protecting customer data is a top priority and we take the responsibility of securing it extremely seriously. That’s why we’ve built our product according to the highest security standards.

Compliance and Certification

  • ISO 27001:2013

We have built our Information Security Management System on top of ISO 27002:2013 controls to ensure the best practice protection controls are implemented based on industry standards. Proof of certification is available on request.


  • PCI-DSS

All payments made on Semaphore go through FastSpring, a PCI-DSS Level 1 compliant service.

Product security

  • Encryption

All data sent to or from Semaphore is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.


  • Source code security

Communication with your Git provider is always encrypted and your source code is accessed only through SSH and/or HTTPS.


  • Secrets

Semaphore Secrets allow you to store sensitive data and use it as environment variables inside your jobs.


  • Audit logging

Audit logs allow you to monitor any activity. Use them to assist in forensics, and demonstrate compliance. Audit logs can be securely streamed to your own servers.


  • Runtime isolation

Semaphore runs all builds in isolated sandbox virtual machines that are destroyed after each use.


  • Two-factor authentication

Semaphore inherits 2FA authentication established in your third-party Git provider.


  • Inherited restrictions

Default access rights on Semaphore projects are inherited from repository settings on your third-party Git provider.


  • Role-based access control

We provide multiple user roles with different permissions levels within the product.

Operational Security and policies

  • Policies

Semaphore has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with employees.


  • Employee vetting

Semaphore performs background checks on all new employees in accordance with local laws.


  • Confidentiality

All employees have signed a confidentiality agreement.


  • Security training

All employees complete security training when they join and are continually refreshed.


  • Engineer security education

All engineers are required to attend additional technical security training.


  • Incident response

Semaphore maintains a well-defined set of protocols for responding to security events. These protocols are regularly tested and updated.


  • Incident Response Team

Semaphore has rotating Site reliability and Incident Response Team that is available 24/7.


  • Partner management

Semaphore requires all third-party vendors to be ISO 27001:2013 certified and to fill out a security questionnaire annually.


  • Access control and permissions

Semaphore follows the principle of least privilege access. Access to customer data is limited to authorized privileged employees who require it for their job responsibilities.


  • Authentication methods

Semaphore runs a zero-trust corporate network. We enforce Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on, GitHub, BitBucket, Google, and AWS to ensure access to cloud services is protected.

Application Security

  • Secure Code Development (SDLC)

Our Software Development Lifecycle Policy controls delivery, review, and change management processes to minimize any security incidents or downtime.


  • Software Dependencies

Semaphore keeps up to date with software dependencies and has automated tools scanning for common security issues including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection.


  • Separate Development Environments

Testing and staging environments are logically separated from the production environment. No customer data is used in our development or test environments.


  • Automated Testing and Build Processes

We have an extensive set of automated testing procedures that are executed for every code change.

Physical and infrastructure security

  • Offices Security

Semaphore offices are secured by various physical barriers and alarm systems. All visitors are required to sign in and be escorted at all time.


  • Remote offices security

Semaphore ensures safe work from remote locations through policies like a secure environment policy, clear screen and desk policy, ​​and equipment siting and protection policy.


  • Data centers

Our application is hosted and managed within Google Cloud Platform secure data centers. This vendor is an industry leader in security and privacy. Our agents are hosted on Hetzner, one of the largest data center operators in Europe that’s accredited under ISO 27001:2013.

Data Security

  • Data storage

Semaphore data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and are only available to the systems that require them.


  • Data Backup

Semaphore maintains a Data Backup Policy for critical systems and requires restoration capabilities within common industry timelines.


  • Logs

We aggregate logs to secure encrypted storage. All sensitive information is filtered from our server logs.


  • Build isolation

Semaphore runs all builds in isolated sandbox virtual machines that are destroyed after each use.


  • Disaster recovery

Each of our services is fully redundant with replication and failover. Services are distributed across multiple availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

Network Security

  • Traffic encryption

All data in transit is encrypted via TLS and SSH.


  • Secrets encryption

Semaphore Secrets are encrypted at rest and in transit and injected into the runtime environment at the start of a job.


  • Source code encryption

Source code is always encrypted via TLS and SSH in transit.


  • Systems auditing

Semaphore maintains a formal Audit Policy and audits are conducted annually. This includes internal audits as well as audits by third parties.


  • Vulnerability scanning

Semaphore uses security tools to continuously scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.


  • Firewall

Our servers are protected by firewalls and not directly exposed to the Internet.


We don’t act on the following classes of bugs and common reports:

  • Credentials in a 3rd party’s .semaphore/semaphore.yml
  • Email spoofing, SPF, DKIM, and DMARC errors

Semaphore does not have a bounty program

We do not offer bug bounties for discovered vulnerabilities. We hope that if you discover vulnerabilities in the course of your work that you share them with us so we can improve the health of the internet ecosystem.

Contact us

Have a question, concern, or comment about Semaphore security?

Please email support@semaphoreci.com for general inquiries

and support+security@semaphoreci.com for emergencies.