From 32890fec207d45fce182cd15d444f4942921d6f7 Mon Sep 17 00:00:00 2001 From: Hussam Lawen Date: Wed, 5 Feb 2025 14:03:32 +0200 Subject: [PATCH 1/3] Create SECURITY.md --- SECURITY.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..cafcabf8 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ +# Security Policy + +## Qodo Merge 💎 (SaaS) +* When using Qodo Merge💎, hosted by Qodo, we will not store any of your data, nor will we use it for training. You will also benefit from an OpenAI account with zero data retention. + +* For certain clients, Qodo Merge will use Qodo’s proprietary models. If this is the case, you will be notified. + +* No passive collection of Code and Pull Requests’ data — Qodo Merge will be active only when you invoke it, and it will then extract and analyze only data relevant to the executed command and queried pull request. + +## Qodo Merge 💎 (Self-hosted) +* If you self-host PR-Agent with your OpenAI (or other LLM provider) API key, it is between you and the provider. We don't send your code data to Qodo servers. + +## Qodo Merge Chrome extension + +* The Chrome extension will not send your code to any external servers. +* For private repositories, we will first validate the user's identity and permissions. After authentication, we generate responses using the existing Qodo Merge integration. From f209bc5323a77401a62b79a4781138d7f48185d9 Mon Sep 17 00:00:00 2001 From: Hussam Lawen Date: Wed, 5 Feb 2025 14:50:12 +0200 Subject: [PATCH 2/3] Update SECURITY.md --- SECURITY.md | 64 +++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 55 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index cafcabf8..b739193e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,16 +1,62 @@ # Security Policy -## Qodo Merge 💎 (SaaS) -* When using Qodo Merge💎, hosted by Qodo, we will not store any of your data, nor will we use it for training. You will also benefit from an OpenAI account with zero data retention. +PR-Agent is an open-source tool to help efficiently review and handle pull requests. Qodo Merge is a paid version of PR-Agent, designed for companies and teams that require additional features and capabilities. -* For certain clients, Qodo Merge will use Qodo’s proprietary models. If this is the case, you will be notified. +This document describes the security policy of PR-Agent. For Qodo Merge's secutiry policy, see [here](https://qodo-merge-docs.qodo.ai/overview/data_privacy/#qodo-merge). -* No passive collection of Code and Pull Requests’ data — Qodo Merge will be active only when you invoke it, and it will then extract and analyze only data relevant to the executed command and queried pull request. +## PR-Agent Self-Hosted Solutions -## Qodo Merge 💎 (Self-hosted) -* If you self-host PR-Agent with your OpenAI (or other LLM provider) API key, it is between you and the provider. We don't send your code data to Qodo servers. +When using PR-Agent with your OpenAI (or other LLM provider) API key, the security relationship is directly between you and the provider. We do not send your code to Qodo servers. -## Qodo Merge Chrome extension +Types of [self-hosted solutions](https://qodo-merge-docs.qodo.ai/installation): +- Locally +- GitHub integration +- GitLab integration +- BitBucket integration +- Azure DevOps integration -* The Chrome extension will not send your code to any external servers. -* For private repositories, we will first validate the user's identity and permissions. After authentication, we generate responses using the existing Qodo Merge integration. + +## PR-Agent Supported Versions + +This section outlines which versions of PR-Agent are currently supported with security updates. + +### Docker Deployment Options + +#### Latest Version + +For the most recent updates, use our latest Docker image which is automatically built nightly: +```yaml +uses: qodo-ai/pr-agent@main +``` + +#### Specific Release Version + +For a fixed version, you can pin your action to a specific release version. Browse available releases at: +[PR-Agent Releases](https://github.com/qodo-ai/pr-agent/releases) + +For example, to github action: + +```yaml +steps: + - name: PR Agent action step + id: pragent + uses: docker://codiumai/pr-agent:0.26-github_action +``` + +#### Enhanced Security with Docker Digest + +For maximum security, you can specify the Docker image using its digest: +```yaml +steps: + - name: PR Agent action step + id: pragent + uses: docker://codiumai/pr-agent@sha256:14165e525678ace7d9b51cda8652c2d74abb4e1d76b57c4a6ccaeba84663cc64 +``` + +## Reporting a Vulnerability + +We take the security of PR-Agent seriously. If you discover a security vulnerability, please report it immediately to: + +Email: tal.r@qodo.ai + +Please include a description of the vulnerability, steps to reproduce, and the affected PR-Agent version. From b29a19957cac92f88ddd6299d0977e1fe1ae3514 Mon Sep 17 00:00:00 2001 From: Hussam Lawen Date: Wed, 5 Feb 2025 14:54:32 +0200 Subject: [PATCH 3/3] Update SECURITY.md Co-authored-by: qodo-merge-pro-for-open-source[bot] <189517486+qodo-merge-pro-for-open-source[bot]@users.noreply.github.com> --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index b739193e..907893ed 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ PR-Agent is an open-source tool to help efficiently review and handle pull requests. Qodo Merge is a paid version of PR-Agent, designed for companies and teams that require additional features and capabilities. -This document describes the security policy of PR-Agent. For Qodo Merge's secutiry policy, see [here](https://qodo-merge-docs.qodo.ai/overview/data_privacy/#qodo-merge). +This document describes the security policy of PR-Agent. For Qodo Merge's security policy, see [here](https://qodo-merge-docs.qodo.ai/overview/data_privacy/#qodo-merge). ## PR-Agent Self-Hosted Solutions