Security overview
Data handling, secrets, egress controls, and the boundary between open-source client tools and the hosted watchtower.
Free vs paid
The public open-source repo ships local schema comparison, MCP connector, and remediation packages. Scheduled checks, snapshot storage, alerting, and the console run on hosted DriftGuard at driftguard.org — not self-hostable from the public repository.
- Local / OSS —
compare_json, FuseGuard, MockDrift, ToolChange, SchemaSync lint - Hosted — watches, drift history, webhooks, billing, portfolio APIs
Data we store
| Data | Purpose | Retention |
|---|---|---|
| Watch metadata (URL, type, tags) | Scheduling and console UI | Until deleted |
| Normalized schema snapshots | Diff baseline and change history | Plan-dependent history |
Change records (drift events) + changes[] | Alerts, incidents, export | Plan-dependent |
| API key hash | Authentication | Until revoked |
| Webhook delivery logs | Alert debugging | Operational window |
We store contract shape (schemas, tool lists) — not your application payloads or end-user data from vendor APIs unless you configure watches that return PII in schema samples (avoid watching authenticated user endpoints).
Secrets & credentials
- API keys (
dg_live_…) are shown once at provisioning; console shows a hint only (GET /api/me) - Watch auth headers are stored encrypted for polling — never returned in API list responses
- MCP tool responses and CLI output must not echo full keys — report suspected leaks via GitHub Issues
- OSS coverage upload redacts
mcp.jsonenv values before network send
Key management: Authentication
Network egress & SSRF
Hosted snapshots fetch only URLs registered on watches (or trip-bound FuseGuard snapshots). Outbound requests enforce:
- DNS pinning and blocklists for private, link-local, and metadata IPs
- Response size and timeout limits on on-demand snapshot API
- Rate limits on trip ingest and snapshot endpoints
Detailed checklist: On-demand snapshot security
Authentication & access
- API keys — scoped to customer org; required for CI and MCP hosted tools
- Trial sessions — short-lived, one-watch limit, no card required
- Console — Google OAuth for humans; separate from API keys
- Webhooks — HMAC-signed payloads (
eventSchema: 2); verify before acting
Team and Enterprise plans include RBAC, audit logs, and OIDC SSO (CP-6.1). SCIM provisioning is on the roadmap.
Transport & headers
Production responses use HTTPS, HSTS, and a restrictive Content-Security-Policy on marketing and console surfaces. CORS allows only configured origins for API browser use.
Supply chain
- CI runs
npm audit, Gitleaks, CodeQL, and dependency review on pull requests - OSS and cloud repos are public — report vulnerabilities responsibly via GitHub Security
Compliance posture
DriftGuard is an operational monitoring service, not a data processor for your end-user PII by default. For enterprise compliance packets (DPA, subprocessors list), contact sales via pricing — formal SOC 2 / ISO programs are not yet published.
Enterprise
- RBAC & roles — viewer through owner permissions
- Audit logs — seat events and signed drift export
- Enterprise SSO — OIDC + domain verification