Security

Security & Trust

CodeRaft is built for enterprise security teams. Every layer of the platform is designed with defence in depth, zero trust, and data sovereignty in mind.

🔒

Self-hosted

Your data never leaves your infrastructure. All CodeRaft products run on-premise in Docker containers you control.

🚫

Zero telemetry

No analytics, no tracking, no phone-home. The only outbound call is licence validation to our server.

🇨🇭

Swiss company

CodeRaft is based in Geneva, Switzerland. Our licence server is hosted in Switzerland under Swiss data protection law (nFADP).

Encryption & Cryptography

Licence integrity

  • RSA-2048 SHA-256 digital signatures (PKCS#1 v1.5 + PSS)
  • Private key stored server-side only (file mode 0600)
  • Anti-replay protection via unique UUID nonce per licence
  • Online validation with revocation and expiry checks
  • Encrypted offline cache (48h TTL) for air-gap resilience

Data at rest

  • Multi-tenant secrets encrypted with Fernet (AES-128-CBC + HMAC-SHA256)
  • PostgreSQL with encrypted storage volumes
  • Database credentials never hardcoded — injected via environment variables

Data in transit

  • TLS 1.2+ enforced on all external endpoints
  • HSTS with includeSubDomains and preload
  • Internal services communicate over private Docker networks

Container hardening

All CodeRaft products ship as hardened Docker containers following CIS Docker Benchmark recommendations:

  • Non-root execution (dedicated service users)
  • Read-only root filesystem where applicable
  • no-new-privileges security option
  • All Linux capabilities dropped (cap_drop: ALL)
  • Minimal base images (Alpine, slim, distroless)
  • Database ports bound to localhost only
  • No SSH, no shell in production containers
  • Semver-tagged images for rollback support

Web security

All web interfaces include comprehensive security headers:

Header Protection
Content-Security-PolicyPrevents XSS and code injection
Strict-Transport-SecurityForces HTTPS for all connections
X-Frame-OptionsPrevents clickjacking
X-Content-Type-OptionsPrevents MIME-type sniffing
Referrer-PolicyControls referrer information leakage
Permissions-PolicyDisables camera, microphone, geolocation

Compliance readiness

CodeRaft tools help your organisation meet regulatory and framework requirements:

CIS Microsoft 365 v3.1

15 controls mapped — EntraGuard generates compliance reports with pass/fail status and remediation guidance.

NIST 800-53 Rev5

13 controls mapped — Access control, audit, identification, risk assessment, and system protection families.

ISO 27001:2022

14 controls mapped — Organisational, people, physical, and technological controls with Annex A references.

SOC 2 Type II

9 controls mapped — Security, availability, and confidentiality Trust Services Criteria.

Audit trail & transparency

Complete audit logging

  • Every licence validation attempt logged with IP, user agent, and status
  • RedFox Bastion logs all SSH/RDP sessions and Application Access requests with WORM audit trail (user, target, timestamps, policy decisions)
  • EntraGuard tracks all audit runs, findings, and risk acceptance decisions
  • Ravenscan logs all scan executions with target, scope, and findings history

Read-only auditing

EntraGuard and Ravenscan perform read-only operations only. They never modify your systems, Active Directory, or Entra ID tenant. All data collection uses the minimum required API permissions (read-only Graph API scopes).

Supply chain & CI/CD

  • Trivy — Container image vulnerability scanning on every build
  • Semgrep — Static analysis for OWASP Top 10 vulnerabilities
  • gosec — Go-specific security linting (Ravenscan, RedFox API)
  • cargo-deny — Rust dependency audit and licence compliance (RedFox proxy)
  • Hadolint — Dockerfile best-practice linting
  • No third-party telemetry or analytics dependencies in any product

Responsible disclosure

If you discover a security vulnerability in any CodeRaft product, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Contact: [email protected]

Please include: product name, version, description of the vulnerability, and steps to reproduce. We ask that you do not publicly disclose the issue until we have had a chance to investigate and release a fix.