In order to sign up and use pyup.io, you need to provide us access to your GitHub account.

In short, we ask for permission to access your email address and some permissions on your repos. You can decide if you want to give us permissions to access your public repos only or your public and private repos.

We use Github's OAuth2 API. OAuth2 is a protocol that lets external apps request authorization to private details in a user's GitHub account without getting their password. Scopes let us specify exactly what type of access we need to your account. They do not grant any additional permission beyond that which the user already has.

Email

We ask for your email address to have a channel to communicate with you. This can be a new invoice when you are using a paid plan, important changes to pyup and as a last resort when something goes wrong.

Scope Name: user:email
Description: Grants read access to a user's email addresses.

Repository

We need access to your respository in order to create new pull requests, read & write to your requirement files and create & delete branches. You can decide if you want us to access your public repos only or your private and public repos.

Scope Name: repo
Description: Grants read/write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations.

or

Scope Name: public_repo
Description: Grants read/write access to code, commit statuses, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories.

Repo Hook

We need to know whenever you push new code so that we can check if you update your requirement files. We do that by creating a webhook for your repo that sends a request to our server when that happens.

Scope Name: write:repo_hook
Description: Grants read, write, and ping access to hooks in public or private repositories.

Open source

The code that touches your code is open source and available on github. It comes with a command line interface (CLI) for you to tinker with. In order to run that on scale, there are some small modifications on the version pyup is using. Before we talk about that, let's look at how we access your code and what we do with it.

Accessing your code

Here's the full code that searches for requirement files in your repository

The function iterates over the git tree of the given repo and searches for requirement file candidates. It's important to note that the git tree contains no file contents. It is just a list of tuples containing the path and the file type.

We are only interested in blobs that have requirements in their path and end with txt or pip. That matches e.g. requirements.txt in your root directory or requirements/prod.txt.

Once we have a candidate for a requirement file, add_requirement_file is called. We'll take a look at this next.

The function loads the content of the requirement file candidate and adds it to the req_bundle. A req_bundle here is just a fancy name for a list that holds all requirement files that have been found on the repo. Once that is done, the file is parsed to find other files it is referencing. E.g when you have a requirements.txt that has a line with -r other_requirements.txt.

If a referencing file is found, the function calls itself again to continue the search until all requirement files are found.

General Note

Let's be honest here: There is no such thing as a secure system. Software contains bugs and as long as software is communicating with others there will be attack surfaces. As much as we'd like to say that pyup.io is 100% secure, it is not.

What we can do is to make sure that all the systems are as secure as they can be by patching security vulnerabilities as soon as there is a patch available.

OAuth Access Tokens

When signing up, we ask you for permissions to your GitHub account twice. First for your email adress and second for the access to your repo. This enables us to obtain two tokens for your account.

The first is used to link your internal account to your GitHub account associated with your email address as a login to pyup.io. This token is not so valuable in this context, because all an attacker could do with it is to read your email adress. This token is stored as plain text in our database.

The second token we obtain is to get access to your repo. That's extremely valuable because it allows an attacker to read/write to your repos. The token is stored encrypted using AES. While this won't help in an event where an attacker has full access to pyup.io (because the service has to know the key to decrypt the token), it is helpful in when an attacker gains access to the database and/or database backups alone.

Payment

Payment is processed through stripe. Your credit card info won't be safed on pyup.io.

Datacenter

All systems are running in a private Datacenter run by Accelerated IT Services GmbH in Frankfurt, Germany.