Kiro is hosted on Amazon Web Services (AWS), and we're using its built in privacy features. Kiro takes additional proactive measures to ensure a secure infrastructure environment. For additional, more specific details regarding AWS security, it's housed here: https://aws.amazon.com/security/.
Infrastructure tokens and passwords are encrypted files using Ansible Vault.
We use MongoDB and ScaleGrid for our MongoDB hosting, and use both of their security and privacy features.
User access tokens to third party APIs (i.e. GitHub) are encrypted using an encryption algorithm (at rest).
Passwords are stored encrypted in the Kiro Database using bcrypt.
3rd party software dependencies have been updated to their recent versions.
GitHub authentication is done through OAuth.
Kiro needs both read and write access. The reason for the write access is due to us using GitHub webhooks for generating real-time updates on your Kiro PR Coach dashboard. Note: We're not writing anything into GitHub at the moment, besides a webhook to grab repo updates.
For the GitHub OAuth app access, we currently use the
repo scope. More details can be found here. We're not doing anything with your code or storing it in any way. It's an ongoing limitation with GitHub and their permissions. We're currently working on improving and making this better for you.
Also, we have plans on our roadmap to allow you to bring the value of your Kiro PR Coach into the GitHub workflow experience, which requires write access. If you have any questions or concerns here, let us know.