GitHub-first security

Everything starts with our GitHub integration. We exclusively support GitHub SSO, and authentication is fully handled through GitHub’s own OAuth flow. If you already trust GitHub, you can extend that trust to CarbonRunner with confidence.

Importantly, our integration cannot access your organisation or repository secrets — GitHub does not even provide a way for us to request that level of access. We only ask for the minimum set of permissions required to make CI/CD seamless. And we’re fully transparent about it: below you’ll find a complete list of the permissions CarbonRunner requests, along with clear explanations of why each is needed.

Daily updates

Our Ubuntu, Windows, and macOS images are patched and refreshed every day. By keeping images fully up to date, we reduce exposure to vulnerabilities and give you peace of mind that your CI/CD environment is always running on secure foundations.

Encrypt everything

Security is built into every layer. Disk images are encrypted at rest, all communication with GitHub is encrypted in transit, and jobs are dispatched using GitHub’s own runner protocol. From secrets to cache artifacts, everything is locked down by default.

SLSA conformance

We are actively working towards SLSA 1.2 infrastructure verification, aligning CarbonRunner with industry standards for supply chain security. This commitment means more transparency, more trust, and stronger guarantees for your builds.

Get in touch

Security questions deserve straight answers. If you’d like to dig deeper into our practices, we’re always happy to jump on a call and walk you through the details.