Security
Last updated: April 2026
Infrastructure
Skalpel runs on managed cloud infrastructure with encryption at rest and in transit. Provider credentials are stored using cloud KMS with envelope encryption. No secrets are stored in flat files or runtime containers.
Authentication
- Email/password with secure session cookies
- GitHub OAuth login
- SAML SSO for enterprise (OIDC supported)
- SCIM provisioning for team management
- Workspace API keys with project and environment scoping
- Service account keys for CI/CD pipelines
Authorization
Role-based access control scoped by workspace, project, environment, and route. Roles: owner, admin, developer, analyst, billing, viewer.
Audit Logging
Every critical action writes an audit event: login, invite, key creation, key rotation, provider credential changes, billing plan changes, route policy changes, and benchmark overrides.
Secret Management
- Cloud KMS for key encryption
- Encrypted storage for provider credentials
- Automatic rotation tracking with last-used timestamps
- Envelope encryption for all sensitive data
Compliance
- SOC 2 Type I (in progress)
- GDPR readiness
- Configurable data retention policies
- Optional no-body logging
- PII redaction in request traces
Responsible Disclosure
If you discover a security vulnerability, please report it to security@skalpel.ai. We will acknowledge receipt within 24 hours.