Security
Your code never touches our servers. We route webhooks. You run builds.
We never see your source code
We receive GitHub webhooks containing event metadata (push SHA, branch name, PR number). Your worker fetches code using its own Git credentials. We cannot read, modify, or retain your source code.
Secrets stay on your machines
Environment variables and secrets are passed directly to your worker process. They travel over your TLS WebSocket connection. We do not log, store, or have access to your secrets.
Build artifacts stay with you
Test outputs, coverage reports, and build artifacts are generated on your hardware. We do not ingest build logs or artifacts. Everything stays on your infrastructure.
What we store
- Repository names and installation IDs (to route webhooks)
- Webhook event metadata (SHA, branch, PR number)
- Job status and conclusion (to report back to GitHub)
We do not store: source code, secrets, build logs, or artifacts.
Communication
- GitHub → HorseCI: Webhooks over HTTPS (GitHub signs payloads)
- HorseCI → Your worker: WebSocket over TLS 1.3
- HorseCI → GitHub: REST API with JWT authentication
Infrastructure
Our dispatcher runs on infrastructure we control. We do not use GitHub Actions, AWS Lambda, or other third-party compute for webhook processing. This reduces supply chain exposure.
Contact
Security questions: security@horseci.com