Architecture

Security

Learn about our approach to scanning and security checks, including secrets detection, SonarQube analysis, and license compliance.

Secrets

To protect sensitive data, we scan our entire source code repository using custom-built internal scripts. These scripts perform automatic checks to ensure no credentials, tokens, API keys, or other sensitive information accidentally end up in our source code.

Our secrets scanning covers:

  • Full source code analysis
  • Integration with our internal Helm chart and YAML configurations
  • Validation scripts executed during CI/CD pipelines

If secrets are found, developers must:

  1. Immediately remove the secret from the codebase.
  2. Invalidate any compromised credentials or tokens.
  3. Clean commit history if necessary.

SonarQube

We use SonarQube to maintain high standards of code quality and security through automated static code analysis. SonarQube helps identify:

  • Bugs and vulnerabilities – potential security and functional issues.
  • Code smells – areas of code that might need refactoring.
  • Technical debt – tracking code complexity and maintainability.

SonarQube analysis runs automatically within our CI/CD pipelines, providing insights directly within the development workflow.

Developers can view analysis results in the SonarQube dashboard, enabling them to proactively improve code quality and address potential problems early in the development cycle.

Licenses

We use an internal CLI tool, Eli, to detect and manage licenses of all dependencies used in our projects. Eli identifies allowed and rejected licenses, preventing accidental use of non-compliant licenses in our applications.

License checking includes:

  • Automated scans of all project dependencies.
  • Generation of license compliance reports.
  • Automatic detection of problematic licenses, such as copyleft.

Default allowed and rejected licenses:

Allowed LicensesRejected Licenses
MITMPL
BSD (all variants)LGPL
Apache (all variants)AGPL
UnlicenseGPL (all variants)
EIT

Developers can define custom license policies in the Eli configuration file:

licences:
  reject:
    - "GPL"
    - "GPL-1.0"
    - "MPL"
  allowed:
    - "MIT"
    - "BSD"
    - "Apache"

To manually check licenses locally, run:

eli project licenses --report=json --output=reports/licences.json

This generates a detailed report of all used licenses.

Code Quality

Learn about our approach to code quality, including CI pipelines, linting, type safety, and best practices for code reviews and pull requests.

Testing

Learn about our approach to unit testing, end-to-end scenarios, and test reporting across the platform.

Copyright © 2025. All rights reserved.