Facebook Pixel
Pricing
Customers
Trust & Security

End-to-End Security

We Do Not Store Your Executables or Code
BrainIAC and Terraform logo inside the loptop screen icon

Cloud Scanning

We encrypt and secure your code in transit (TLS), and at rest (AES-256). We process it using an ephemeral container that is terminated and wiped after processing. We only store analysis results, not the underlying code. This way, there is no honeypot for hackers. Read below for more detail.
BrainIAC and Terraform logo inside the loptop screen icon

Local Scanning

When scanning locally, no code or analysis results leave your firewall. Furthermore, the application does not store your code, it pulls it from a registry, puts it into an ephemeral container, analyzes it, and then terminates the container and wipes the data, only storing the scan results. We provide your configuration file to allow you to manage your access.

Comprehensive Security Features for Your Scanning Experience

Encryption
Encryption guarantees the data is transformed into an unreadable format for unauthorized users.
Access Controls
Our Role-Based Access Control puts you in control of viewing and managing your data.
Network Segmentation
Network segmentation reduces security risks by creating multiple layers within a network surface that prevent lateral attacks.
Data Masking
Data masking helps the process of modifying your data to hide its original form.
Security Updates
Security updates allow us to mitigate and resolve product security vulnerabilities in the application and system.
Secure Configuration
Secure configuration involves managing system settings by following security policies and standards to mitigate vulnerabilities.

Carbonetes Never Stores Your Code

Carbonetes never stores your code after the analysis. When using Diggity (open-source SBOM) and Jacked (our open-source vulnerability scanning) we do not access or move your code, we merely pull the file info via the Docker REST API. When doing SCM (Software Composition Management) scanning, we perform a git clone and store it in a PersistentVolume for each repository. After analysis, the repository’s PersistentVolume is deleted leaving no data for a hacker to modify or exfiltrate.
We use PersistentVolumes (PVs) to secure repository storage and ensure that deleted repositories are not accessible and their data is not recoverable.
Choose Repository
Cloned Repository is secured in a separate PersistentVolume
Analyze Repository
Save Analysis Result
Wipe Out Repository’s PersistentVolume

Clarity Starts Here

How is my data secured?
What’s your data encryption method?
How often are security policies updated?
How do you meet security standards?
Who has access to my data?
How can I secure against the latest vulnerabilities?
All data is masked and encrypted in transit, during processing and at rest. We protect our own code using this amazing tool called Carbonetes…we highly recommend it ;). As a result, we are on top of any new vulnerabilities that might affect us. But the process doesn’t store customer code anyway.
AES-256 (American Encryption Standard)
We would look pretty silly if we, a security company, got hacked. So we use state actor level security.
We update security policies at least once a year for the necessary things to be updated, and we consider other updates to stay ahead of potential threats and aim to minimize lateral attacks.
We Follow Security Standards and Policies that aim to minimize lateral attacks. This plays a critical role in our reputation in protecting our company and customers, by staying compliant with regulations, security patches, and security policy standards.
Our company has access to customer data and metadata from the use of our cloud service. All of that is encrypted and isolated. We do not have access to your code. The metadata we store is crucial to our identifying and addressing issues such as performance and other operational issues.
Our analyzers get regular feeds of the latest vulnerabilities. Our prioritization tools such as CVSS and EPSS are also updated constantly. All you have to do is set your policy(s) to catch vulns by priority and any new vulns will be flagged and surfaced to your attention.
chevron-downchevron-rightarrow-right