CircleCI implements a Docker-centric vulnerability scanning tool in its software development CI/CD process. Patching timelines CircleCI’s cloud service are:
Critical - 14 to 30 days | High - 14 to 30 days | Medium - 45 to 90 days | Low - 90 to 180 days. Monthly scans are submitted to federal authorities as part of ongoing FedRAMP compliance.
Internal systems auditing
CircleCI maintains a formal Audit Policy governing application events, system events, hardware events, and physical access. This includes the what, when, and where of the event, its source, its object, its outcome, and the person associated with it.
CircleCI’s architecture consists of multiple layers of data security including a DMZ, bastion hosts, and iptables.
CircleCI’s Site Reliability, Support and Engineering teams are globally distributed for 24/7/365 coverage.
CircleCI runs all builds in isolated sandboxes that are destroyed after each use.