Merge pull request #9606 from circleci/DOCSS-1390-security-update

add note to exclude runner from sandboxing assumptions

Author: rosieyohannan

docs/server-admin-4.2/modules/operator/pages/circleci-server-security-features.adoc

@@ -10,17 +10,25 @@ This document outlines security features built into CircleCI and related integra
 
 [#security-overview]
 == Overview
-Security is our top priority at CircleCI. We are proactive and we act on security issues immediately. Report security issues to [email protected] with an encrypted message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7).
+Security is our top priority at CircleCI. We are proactive and we act on security issues immediately. Report security issues to mailto:[email protected][] with an encrypted message using our security team's GPG key (ID: `0x4013DDA7`, fingerprint: `3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7`).
 
 [#encryption]
 == Encryption
-CircleCI uses HTTPS or SSH for all networking in and out of our service, including from the browser to our services application, from the services application to your builder fleet, from our builder fleet to your source control system, and all other points of communication. None of your code or data travels to or from CircleCI without being encrypted, unless you have code in your builds that does so at your discretion. Operators may also choose to bypass our SSL configuration or not use TLS for communicating with underlying systems.
+CircleCI uses HTTPS or SSH for all networking in and out of our service, including:
 
-The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or an ephemeral VM) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build agent pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete, the container that ran the job is destroyed and rebuilt. All environment variables are encrypted using link:https://www.vaultproject.io/[HashiCorp Vault]. Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees.
+* From the browser to our services application.
+* From the services application to your builder fleet.
+* From our builder fleet to your source control system, and all other points of communication.
+
+None of your code or data travels to or from CircleCI without being encrypted, unless you have code in your builds that does so at your discretion. Operators may also choose to bypass our SSL configuration or not use TLS for communicating with underlying systems.
+
+The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. With the exception of self-hosted runner, all jobs on CircleCI run in a sandbox (specifically, a container or an ephemeral VM). THe sandbox stands alone from all other builds and is not accessible from the Internet or from your own network.
+
+The build agent pulls code via git over SSH. Your test suite or job configurations may call out to external services or integration points within your network. The response from such calls will be pulled into your jobs and used at your discretion. After a job is complete, the container that ran the job is destroyed and rebuilt. All environment variables are encrypted using link:https://www.vaultproject.io/[HashiCorp Vault]. Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees.
 
 [#sandboxing]
 == Sandboxing
-With CircleCI, you control the resources allocated to run the builds of your code. This will be done through instances of our builder boxes that set up the containers in which your builds will run. By their nature, build containers will pull down source code and run whatever test and deployment scripts are part of the codebase or your configuration. The containers are sandboxed, each created and destroyed for one build only (or one slice of a parallel build), and they are not available from outside themselves. The CircleCI service provides the ability to SSH directly to a particular build container. When accessing a container this way, a user will have complete access to any files or processes being run inside that build container. Only provide CircleCI access to those also trusted with your source code.
+With CircleCI, you control the resources allocated to run the builds of your code. With the exception of self-hosted runner, this will be done through instances of our builder boxes that set up the containers in which your builds will run. By their nature, build containers will pull down source code and run whatever test and deployment scripts are part of the codebase or your configuration. The containers are sandboxed, each created and destroyed for one build only (or one slice of a parallel build), and they are not available from outside themselves. The CircleCI service provides the ability to SSH directly to a particular build container. When accessing a container this way, a user will have complete access to any files or processes being run inside that build container. Only provide CircleCI access to those also trusted with your source code.
 
 [#integrations]
 == Integrations
@@ -29,12 +37,20 @@ A few different external services and technology integration points touch Circle
 [#web-sockets]
 === Web sockets
 
-CircleCI uses link:https://pusher.com/[Pusher] client libraries for WebSocket communication between the server and the browser. However, for installs CircleCI uses an internal server called Slanger, so Pusher servers have no access to your instance of CircleCI, nor your source control system. This is how CircleCI, for instance, updates the builds list dynamically, or show the output of a build line-by-line as it occurs. CircleCI sends build status and lines of your build output through the web socket server (which unless you have configured your installation to run without SSL is done using the same certs over SSL), so it is encrypted in transit.
+CircleCI uses link:https://pusher.com/[Pusher] client libraries for WebSocket communication between the server and the browser for jobs such as:
+
+* Updating builds lists dynamically.
+* Displaying the output of a build line-by-line as it occurs.
+
+For CircleCI server installations, we use an internal server called Slanger, so Pusher servers have no access to your instance of CircleCI, nor your source control system. CircleCI sends build status and build output through the web socket server. Unless you have configured your installation to run without SSL, this is done using the same certs over SSL, so it is encrypted in transit.
 
 [#source-control-systems]
 === Source control systems
 
-To use CircleCI you will set up a direct connection with your instance of GitHub Enterprise or GitHub.com. When you set up CircleCI, you authorize the system to check out your private repositories. You may revoke this permission at any time through your GitHub application settings page and by removing Circle's Deploy Keys and Service Hooks from your repositories' Admin pages. While CircleCI allows you to selectively build your projects, GitHub's permissions model is "all or nothing" — CircleCI gets permission to access all of a user's repositories or none of them. Your instance of CircleCI will have access to anything hosted in those git repositories and will create webhooks for a variety of events (for example, when code is pushed, when a user is added, etc.) that will call back to CircleCI, triggering one or more git commands that will pull down code to your build fleet.
+To use CircleCI you will set up a direct connection with your instance of GitHub Enterprise or GitHub.com. When you set up CircleCI, you authorize the system to check out your private repositories. You may revoke this permission at any time through your GitHub application settings page and by removing CircleCI's Deploy Keys and Service Hooks from your repositories' Admin pages. CircleCI allows you to selectively build your projects but GitHub's permissions model is "all or nothing". That is, CircleCI gets permission to access all of a user's repositories or none of them. Your instance of CircleCI has access to anything hosted in your git repositories and will create webhooks for a variety of events. These webhooks call back to CircleCI, triggering one or more git commands that will pull down code to your build fleet. For example:
+
+* When code is pushed.
+* When a user is added.
 
 [#dependency-and-cource-caches]
 === Dependency and source caches

docs/server-admin-4.3/modules/operator/pages/circleci-server-security-features.adoc

@@ -8,17 +8,25 @@ This document outlines security features built into CircleCI and related integra
 
 [#security-overview]
 == Overview
-Security is our top priority at CircleCI. We are proactive and we act on security issues immediately. Report security issues to [email protected] with an encrypted message using our security team's GPG key (ID: 0x4013DDA7, fingerprint: 3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7).
+Security is our top priority at CircleCI. We are proactive and we act on security issues immediately. Report security issues to mailto:[email protected][] with an encrypted message using our security team's GPG key (ID: `0x4013DDA7`, fingerprint: `3CD2 A48F 2071 61C0 B9B7 1AE2 6170 15B8 4013 DDA7`).
 
 [#encryption]
 == Encryption
-CircleCI uses HTTPS or SSH for all networking in and out of our service, including from the browser to our services application, from the services application to your builder fleet, from our builder fleet to your source control system, and all other points of communication. None of your code or data travels to or from CircleCI without being encrypted, unless you have code in your builds that does so at your discretion. Operators may also choose to bypass our SSL configuration or not use TLS for communicating with underlying systems.
+CircleCI uses HTTPS or SSH for all networking in and out of our service, including:
 
-The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or an ephemeral VM) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build agent pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete, the container that ran the job is destroyed and rebuilt. All environment variables are encrypted using link:https://www.vaultproject.io/[HashiCorp Vault]. Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees.
+* From the browser to our services application.
+* From the services application to your builder fleet.
+* From our builder fleet to your source control system, and all other points of communication.
+
+None of your code or data travels to or from CircleCI without being encrypted, unless you have code in your builds that does so at your discretion. Operators may also choose to bypass our SSL configuration or not use TLS for communicating with underlying systems.
+
+The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. With the exception of self-hosted runner, all jobs on CircleCI run in a sandbox (specifically, a container or an ephemeral VM). THe sandbox stands alone from all other builds and is not accessible from the Internet or from your own network.
+
+The build agent pulls code via git over SSH. Your test suite or job configurations may call out to external services or integration points within your network. The response from such calls will be pulled into your jobs and used at your discretion. After a job is complete, the container that ran the job is destroyed and rebuilt. All environment variables are encrypted using link:https://www.vaultproject.io/[HashiCorp Vault]. Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees.
 
 [#sandboxing]
 == Sandboxing
-With CircleCI, you control the resources allocated to run the builds of your code. This will be done through instances of our builder boxes that set up the containers in which your builds will run. By their nature, build containers will pull down source code and run whatever test and deployment scripts are part of the codebase or your configuration. The containers are sandboxed, each created and destroyed for one build only (or one slice of a parallel build), and they are not available from outside themselves. The CircleCI service provides the ability to SSH directly to a particular build container. When accessing a container this way, a user will have complete access to any files or processes being run inside that build container. Only provide CircleCI access to those also trusted with your source code.
+With CircleCI, you control the resources allocated to run the builds of your code. With the exception of self-hosted runner, this will be done through instances of our builder boxes that set up the containers in which your builds will run. By their nature, build containers will pull down source code and run whatever test and deployment scripts are part of the codebase or your configuration. The containers are sandboxed, each created and destroyed for one build only (or one slice of a parallel build), and they are not available from outside themselves. The CircleCI service provides the ability to SSH directly to a particular build container. When accessing a container this way, a user will have complete access to any files or processes being run inside that build container. Only provide CircleCI access to those also trusted with your source code.
 
 [#integrations]
 == Integrations
@@ -27,12 +35,20 @@ A few different external services and technology integration points touch Circle
 [#web-sockets]
 === Web sockets
 
-CircleCI uses link:https://pusher.com/[Pusher] client libraries for WebSocket communication between the server and the browser. However, for installs CircleCI uses an internal server called Slanger, so Pusher servers have no access to your instance of CircleCI, nor your source control system. This is how CircleCI, for instance, updates the builds list dynamically, or show the output of a build line-by-line as it occurs. CircleCI sends build status and lines of your build output through the web socket server (which unless you have configured your installation to run without SSL is done using the same certs over SSL), so it is encrypted in transit.
+CircleCI uses link:https://pusher.com/[Pusher] client libraries for WebSocket communication between the server and the browser for jobs such as:
+
+* Updating builds lists dynamically.
+* Displaying the output of a build line-by-line as it occurs.
+
+For CircleCI server installations, we use an internal server called Slanger, so Pusher servers have no access to your instance of CircleCI, nor your source control system. CircleCI sends build status and build output through the web socket server. Unless you have configured your installation to run without SSL, this is done using the same certs over SSL, so it is encrypted in transit.
 
 [#source-control-systems]
 === Source control systems
 
-To use CircleCI you will set up a direct connection with your instance of GitHub Enterprise or GitHub.com. When you set up CircleCI, you authorize the system to check out your private repositories. You may revoke this permission at any time through your GitHub application settings page and by removing Circle's Deploy Keys and Service Hooks from your repositories' Admin pages. While CircleCI allows you to selectively build your projects, GitHub's permissions model is "all or nothing" — CircleCI gets permission to access all of a user's repositories or none of them. Your instance of CircleCI will have access to anything hosted in those git repositories and will create webhooks for a variety of events (for example, when code is pushed, when a user is added, etc.) that will call back to CircleCI, triggering one or more git commands that will pull down code to your build fleet.
+To use CircleCI you will set up a direct connection with your instance of GitHub Enterprise or GitHub.com. When you set up CircleCI, you authorize the system to check out your private repositories. You may revoke this permission at any time through your GitHub application settings page and by removing CircleCI's Deploy Keys and Service Hooks from your repositories' Admin pages. CircleCI allows you to selectively build your projects but GitHub's permissions model is "all or nothing". That is, CircleCI gets permission to access all of a user's repositories or none of them. Your instance of CircleCI has access to anything hosted in your git repositories and will create webhooks for a variety of events. These webhooks call back to CircleCI, triggering one or more git commands that will pull down code to your build fleet. For example:
+
+* When code is pushed.
+* When a user is added.
 
 [#dependency-and-cource-caches]
 === Dependency and source caches