Here at Foresight, security is our top concern, and we provide the highest security standards.

Is it safe to use Foresight?

Yes, it is safe. Foresight never sees your secrets or source code, and that’s by design.  But actions speak louder. Hence, our key users are a sign of our safety.

Here is a list of projects using Foresight:

One of our customers, Craftgate - a fintech company, has been using Foresight with a custom GitHub app, which is fully PCI-DSS compliant. You can watch his words from here.

Which permissions does the Foresight GitHub app require?
Read access to actions and metadata

For gathering data such as your workflow name, workflow run durations, etc.
This is required for using features such as:

Read and write access to issues, pull requests and checks

For commenting on your pull requests and checks. We don't modify or change any of your PR content, code base, etc.

Does Foresight see / modify / change my code?

Foresight will never store, commit, or modify anything on your code. Your code never goes through Foresight's backend servers at any time. We don't have access to your repository contents, secrets, or administrative information.

If you want to use Foresight's change impact analysis, Foresight only shows not tested changed lines of code by looking at your PR and code coverage report.

Is there any way where I don't install your GitHub app but still use Foresight?

Yes, with our custom GitHub app solution, you can manage your permissions. This way, you will be in charge of which permission you give access to Foresight. However, you may lose access to some of the features by limiting some of the permissions.

If you would like to learn more about the Custom GitHub application, please contact us here.


Foresight applies the least privilege principles and requires minimum permission to process your integration.

While using Foresight, you can install our official GitHub application for monitoring your CI workflows and tests. Foresight will never store, commit, or modify anything on your code. Your code never goes through Foresight’s backend servers at any time. We don’t have any access to your repository contents, secrets and administrative information.

Moreover, Foresight never makes any changes to your repository or its configuration in any way.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) re-emphasizes and reinforces existing data protection principles in the European Union (EU). GDPR also adds new rules that are designed to expand legal and privacy rights protections for EU citizens.

At Foresight, we understand the importance of data. We are wholly committed to providing the highest security standards and the protection of customer data. As a reflection, we completely ameliorated our products, processes, and procedures to meet the GDPR obligations.

Any Foresight user is provided the availability to both filter and mask personal data before customer data is submitted to our subscription services.

Encrypt in Transit & at Rest

We use TLS encryption for every internal and external communication between our services and external services. All of our application layer (layer 7) level communications are HTTPS based and network layer (layer 3-4) based communications are SSL based.

All of the collected user data and monitoring data is stored as encrypted with AWS KMS system by encryption keys. Also, all of the snapshots and backups are encrypted as well at the place where they reside.


All of the communication between the user browser and the Foresight products is done securely through HTTPS (TLS). We are using JWT tokens with Auth0 for product authentication.

For payment, we are using Stripe, which is certified to PCI Service Provider Level 1, (the most stringent level of certification available in the payments industry). So we don’t collect and store any information about your credit card as they are handled and managed by Stripe directly.

Trusted AWS Partner

Foresight is an AWS Advanced Technology Partner. Starting from the AWS community, Foresight aims to build official relationships with all the cloud communities to build faster and more reliable software with boosted developer productivity.

Foresight holds the AWS DevOps Competency and is a member of the ISV Accelerate Program. Foresight complies with enterprise contracts on AWS Marketplace and is a member of the SPPO Program.

Data Access & Retention

All of the data stores (as well as the internal and external services) are behind VPC and they are not accessible from the outside of the private network. At Foresight, access to data stores is restricted and only admins and the operations teams are allowed. Two-factor authentication is required for employees to access Foresight internal services and actions are audited by AWS CloudTrail logs.

Foresight’s data retention is 30 days for all the user plans.

If you want to delete your account, you can contact us through Slack or We will respond with the confirmation of deletion in 24 hours.

App Security & Masking the Data

Foresight uses GitHub’s official app guide and API’s to collect your Actions data. Our official GitHub Actions only collect read-only monitoring data. Collected monitoring data is sent through HTTPS (TLS) securely. Authentication is done by the provided API keys, which are sent in the request headers to sign the request, by Foresight. After processing, received data is stored encrypted by AWS KMS at rest. By default, all integrations (AWS SQS, AWS SNS, AWS Lambda, …, MySQL, PostgreSQL, HTTP, Redis, etc …) are enabled and they capture the outgoing requests (messages, queries, request bodies, commands, etc …).


All of the services and data stores in Foresight are designed to be highly available components. We use Aurora MySQL, DynamoDB, and Elasticsearch to store collected data.Also collected monitoring data is backed up on AWS S3. AWS DynamoDB and S3 are highly available and resilient services as they run at multi-AZ with backups. For Elasticsearch, we run multiple instances on multiple AZ and each shard has its own replicate located at another AZ. For Aurora MySQL, we have multiple read replicas on different AZ and regions and in case of an outage, they can be promoted to the master role.

In addition to data stores, all of our collectors and products run as multiple instances on multi-AZ behind Application Load Balancers and they can automatically scale up and down according to the system load. Besides collector and applications, all of the remaining components of our backend are %100 serverless and by their nature, they are highly available and scalable applications.


All of our data stores, RDS and Elasticsearch (and even caches, Elastic Cache / Redis), have daily backups so in case of disaster, they can be restored to the latest day. The remaining changes until the disaster time on the data store occurred after the snapshot can be restored by replaying events from S3 backups. In addition to S3 backups, data retention of our Kinesis stream, which is the stream of collected monitoring data, is 7 days, so that in case of the catastrophic failure of Elasticsearch, we can replay the data to be ingested.