Security & Privacy

ShipTested is designed with security as a core principle. Your code stays on your machine, credentials are stored securely, and all communication with our API is encrypted. This page explains exactly what data is sent, how it is handled, and what protections are in place.

What Data Is Sent to the API#

When you run shiptested generate, the CLI sends source file context to the ShipTested API. This includes:

• The source file you are generating tests for
• Relevant dependencies and type definitions needed for test generation
• Project metadata (language, framework, test runner, module system)

The CLI does not send your entire repository, your node_modules, environment variables, or any files outside the immediate context needed for test generation. Source file context is used solely for generating tests and is never stored permanently on our servers.

Local Test Execution#

All generated tests run locally on your machine. The ShipTested API generates test code, but execution happens in your environment using your installed test runner (Vitest or Jest). This means:

• Private npm packages, monorepo setups, and custom path aliases all work because they resolve in your real environment
• Your exact Node.js (or Bun) version is used, eliminating runtime mismatches
• No code is uploaded to a remote server for execution
• Test output and error messages stay on your machine unless you choose to sync results to the dashboard

Credential Storage#

When you run shiptested login, your authentication credentials are stored locally at:

~/.shiptested/credentials

This file contains:

• Your authentication token (JWT)
• The API URL
• Your email address
• Token expiration timestamp

The credentials file and its parent directory are created with restricted permissions:

• Directory (~/.shiptested/): 0o700 (owner read/write/execute only)
• File (credentials): 0o600 (owner read/write only)

This ensures that only your user account can read or modify the credentials. Running shiptested logout deletes the credentials file entirely.

API Key Security#

API keys (used for CI/CD and programmatic access) are protected using industry-standard practices:

• Keys are generated with a sk_live_ prefix followed by 32 random hexadecimal bytes
• The full key is displayed only once at creation time. After that, only a truncated preview is shown in the dashboard.
• Keys are hashed using SHA-256 before being stored in the database. Only the hash is persisted. We never store the raw key.
• When you send a request with an API key, we hash the provided key and compare it against the stored hash
• Keys can be revoked instantly from the dashboard, and revoked keys stop working immediately

JWT Tokens#

Interactive authentication (via shiptested login) uses JWT tokens:

• Tokens expire after 7 days
• Tokens are signed and verified using the jose library
• Expired tokens are rejected automatically. The CLI will prompt you to log in again when your token expires.

GitHub OAuth#

ShipTested supports GitHub OAuth for user authentication. The OAuth flow includes:

• State parameter verification to prevent cross-site request forgery (CSRF) attacks. A unique state token is generated for each login attempt and verified when the callback is received.
• The CLI starts a temporary local HTTP server to receive the OAuth callback. This server runs only during the login flow (with a 2-minute timeout) and shuts down immediately after.
• ShipTested requests minimal GitHub permissions needed for authentication.

Data Retention#

When results are synced to the dashboard, the following data is stored:

• Run metadata (timestamp, branch, trigger type, pass/fail counts)
• File-level results (status, iterations, coverage percentage)
• Generated test file content (for viewing in the dashboard)
• Error output from failed iterations
• Token usage statistics

Source file context sent during generation is not stored permanently. Dashboard data is retained for the duration of your account. Deleting a project removes all associated run and file data.

Network Security#

All communication between the CLI and the ShipTested API is encrypted using HTTPS/TLS. There are no unencrypted endpoints.

Next Steps#

• Pricing & Billing - learn about API key management
• CI/CD Integration - securely configure API keys in your pipeline
• Troubleshooting - debug authentication issues