Security at Buildkite
At Buildkite, security is foundational to everything we do. Our platform helps some of the world’s most security-conscious organizations build, test, and deploy software — safely and reliably. We prioritise protecting your code, your data, and your workflows.
Our Security Commitments
At Buildkite, security isn’t just a feature — it’s embedded in our architecture. Our platform is designed with a security-first approach that respects your organization’s privacy and protects your intellectual property.
-
Customer-Controlled Infrastructure:
Buildkite Agents can run on your infrastructure, meaning your source code and secrets never leave your environment. -
Zero Code Exfiltration:
Buildkite does not require access to your code repository contents or build artifacts. Agents can be self-hosted or managed — Hosted Agents are ephemeral and only access the code required for execution of their pipeline. -
Data Minimization:
We only collect what’s needed for orchestration — never your proprietary code.
Platform Security
Our security-focused approach gives you the confidence to scale your CI/CD operations without compromising security. From robust encryption to advanced authentication methods, we've built comprehensive data protection into every aspect of our service.
-
Hosted in AWS
Buildkite is hosted and run within Amazon Web Services and designed to meet AWS “Well Architected” Principles. -
End-to-End Encryption
All data in transit is protected using TLS 1.2+ with strong cipher suites. Data at rest is encrypted using AES-256. -
Single Sign-On (SSO) + SCIM
SAML SSO integration is available using providers like Okta, Azure AD, and Google Workspace. SCIM provisioning is available on Enterprise plans. -
Two-Factor Authentication (2FA)
Multi-Factor Authentication is enabled by default for organisation members to add a layer of protection. -
Audit Logging
Customers have visibility into user and API activity to support compliance and incident investigations. -
Granular Access Controls
Team-based permissions allow you to restrict access to builds, pipelines, and organization settings. Buildkite can integrate with your cloud identity solution at a per job level via OIDC.
Agent Security
Buildkite’s agent architecture delivers powerful isolation and access controls that safeguard your build environments from security threats. Our design empowers you to implement defense-in-depth strategies that protect your most sensitive operations from potential threats. Customers can use Buildkite’s hosted agents or host their own agents within their own infrastructure.
-
Isolated Builds
Customers can use containers, VMs, or ephemeral agents to isolate and sandbox builds. -
Token-Scoped Agent Access
Agent tokens are scoped per pipeline or queue to minimise blast radius. -
Secrets Management
Customers can use their own vault (e.g., AWS Secrets Manager, HashiCorp Vault) to inject secrets securely or use Buildkite Secrets.
SOC2 Compliance
Buildkite maintains a SOC 2 Type II report - an independent audit performed annually that verifies the design and operating effectiveness of our security practices including access controls, system monitoring, threat detection, and incident response.
Our security posture is continuously monitored and maintained across the business using our GRC platform. From infrastructure hardening to employee training and third-party risk management, we take a proactive, defence-in-depth approach to keeping your data safe.
For more details of our continuous compliance model, please see our trust site.
Security Testing and Practices
Buildkite maintains a robust security posture through rigorous third-party testing and active participation in the security community.
-
Regular Penetration Testing
Third-party penetration tests are conducted at least annually, with remediation prioritized and tracked to completion. -
Bug Bounty Program
We run a private bug bounty program. We welcome people to join by contacting us. -
GitHub Secret Scanning Program
Buildkite is part of the the GitHub Secret Scanning Program which aims to enhance security for your API tokens. -
OpenSSF Member
As a member, we are dedicated to shaping the future of open source security by contributing to solutions that protect the software everyone depends.
Trust Portal
To view our SOC2 report, security penetration test and other assurance artifacts please see our Trust Site.
Questions or concerns?
Reach out to: trust@buildkite.com
Privacy
Want more details about our commitment to Privacy?
Buildkite’s privacy policy is here