Security

Supply-chain aware deploys. Scans on every build.

SBOM, vulnerability and secrets scans, distroless-hardened runtime images, and no source code on our servers. Here's what ships today and what's next.

Code
Build
Scan
Deploy
Monitor

Security checks at every stage, not just at the end

What ships today

Five checks run on every successful build, plus distroless-hardened production images where your framework supports it.

CVE scan

Every built image is scanned for known CVEs across OS packages and your dependencies. Results land on the project's Security tab; you can block deploys on critical or high severity.

SBOM

An industry-standard software bill of materials is generated per build - direct and transitive dependencies, package versions, licences. Downloadable from the deployment detail page.

Secrets scan

The cloned source is checked for committed secrets before the build container is destroyed. Matches block the deploy and surface on the Security tab; we never push an image containing a leaked token.

Runtime EOL check

Every build resolves your runtime against a maintained end-of-life database - a Node 18 app gets flagged as past-EOL, a Java 22 app gets flagged as critical. Surfaces on the project security pill so you know before the auditor does.

Distroless-hardened images

Production images target Google distroless and other minimal bases - no package manager or shell in the runtime layer, smaller CVE surface, and scan results that reflect what actually ships. We extend coverage across frameworks as hardened paths roll out.

Roadmap Coming next

Signed images with SLSA-style provenance attestation, policy-as-code gates per environment, and full audit log export. We'll move each into "ships today" when it's wired end-to-end.

Compliance posture

We're in beta. We haven't completed third-party audits yet - we're building the controls that get us there.

Today Controls in place
  • • TLS 1.3 in transit
  • • Encrypted secrets at rest (Azure Key Vault)
  • • Tenant environment isolation (network + resource boundaries)
  • • Per-build SBOM, CVE scan, secrets scan
  • • Distroless-hardened production images (framework-dependent)
  • • Read-only GitHub access
  • • Source code never persisted past the build
Roadmap On the path to
  • • SOC 2 Type I audit (planned, no auditor engaged yet)
  • • Full audit log persistence (in progress)
  • • Customer-managed encryption keys (CMK)
  • • HIPAA BAA process (Enterprise, when there's demand)
  • • Penetration test on the platform (planned)

Need a specific compliance posture for a procurement review? Email security@vibsl.com and we'll send you what we have today.

Security Questions?

Contact our security team for documentation or specific requirements.

Contact Security Team