Security team

Shielding Sourcegraph from attackers

We think that security is an enabler for the business. Sourcegraph is committed to proactive security, and addressing vulnerabilities in a timely manner. We approach security with a can-do philosophy, and look to achieve product goals while maintaining a positive posture, and improving our security stance over time.





Security infrastructure and tooling

See tooling for a list of active tools we use and infrastructure for more information on the infrastructure that we maintain.


How we ensure that we release our product without high or critical vulnerabilities

  • We scan our containers and IaC as defined in the CI/CD Pipeline Vulnerability Scanning section below.
  • As part of the release process, we will conduct a full scan of our product using Trivy and Checkov.
  • Any high and critical vulnerabilities will need to be addressed before releasing.
  • The artifacts from the scans are then archived.

How we are improving and investing in product security

  • We are growing our security team to expand, develop and mature the security program
  • We are embedding new security practices to improve our secure SDLC
  • We are improving our internal security training for developers
  • We have a security ambassador program where a security engineer is involved in the early stages of the design of new features to give input and help identifying potential weaknesses of the product
  • We have developed a new vulnerability management process which will limit the number of open vulnerabilities as we will have a much closer follow up with a new SLA

How to work with us

We’re here to help so reach out to us at with any questions you may have. Sourcegraph employees can reach us in the #security Slack channel.

Security Questionnaires

We’re always happy for teams to request security code reviews.

Security questionnaires for new and existing customers should follow the process here—feel free to message us on #security too.

Questions and Support Requests

Security questions and support requests should be raised in #security:

  1. Click the lightning bolt below the Slack message box in #security
  2. Select an option at the top of the menu
  3. Fill out the questions
  4. Tag @security-support in the resulting thread if urgent

Reach out to us on #security if you have any doubts, or for any reason feel like our process can’t work for you in a particular case.

Security Ambassador Program

In an effort to work closely with our teammates and shift security focus more into the development process, we are pleased to introduce the Security Ambassador program which will align each one of our security engineers with an engineering organization.

  • What does this mean?

    • The ambassador assigned to your organization will become very knowledgable on your team’s work.
    • The ambassador will help you integrate security thought-processes into your workflow.
    • The ambassador will become your primary point of contact regarding any security concerns that may arise in your development process.
    • The ambassador will be available to join any planning, testing and implementation meetings where their input might be beneficial.
  • Why?

    • This will allow you to get quicker responses to your security questions and concerns from someone who has a deeper understanding of your team’s work.
    • This will allow us to produce a more secure product by integrating security into the early stages of product development.
  • Does this mean I can’t talk to anyone else on the security team?

    • Absolutely not. You are welcome to reach out to anyone in the security team at anytime. We encourage everyone to use the #security slack channel.
  • Who is the ambassador for my team?

    Org Division/Team Assignee
    Code Graph Search Core André
    Code Graph Search Product Lauren
    Code Graph Code intelligence André
    Code Graph Batch Changes Lauren
    Code Graph Code insight André
    Enablement Repo management Feroz
    Enablement Delivery Mohammad
    Enablement Dev Experience Mohammad
    Enablement Front End Platform Lauren
    Cloud Growth and Integrations Feroz
    Cloud Devops André
    Cloud IAM Feroz

How we work

Slack acknowledgement

It is essential to remove assumptions/uncertainty around whether teammates have seen, understood, or acted on a message in an async-first communication environment. To assist in this regard, we provide the following guideline for teammates to follow when communicating and responding in Slack.

The most important thing to remember is not which emoji to use, but rather to remember to acknowledge and do it unambiguously.

When acknowledging a request:

  • :thumbsup: (👍) = I see the request and will action it
  • :white_check_mark: (✅) = I have completed my action on the request

When acknowledging a statement:

  • :thumbsup: 👍 = I agree with the statement or I have taken note of it
  • :thumbsdown: 👎 = I disagree with a statement—encouraged to always follow up with a written response

When acknowledging a question:

You should provide a written response unless it’s a simple yes/no question, in which case :thumbs-up: (👍)/:thumbs-down: (👎) is acceptable.

Monitoring and incident response

Risk management

The Security team manages risk via the Information Security Risk Management Policy and the underlying risk management process.

Misc Links