Can I trust public code versioning platforms when building a social platform?

Unfortunately, you are the ones responsible of seeing if your threat model is justified or not. Therefore, we cannot simply give a definite "yes" whether we see using the platform as a security threat or not.

However, there are two points that I'd like to expand on:

  • You seem to be extremely worried about the source code containing vulnerabilities and that the disclosure of it would mean that an individual or party could identify them.

Personally, I would not feel confident about providing a service to users where its security relies on the source code not being open source. To me, this is some sort of security by obscurity. In the best world, you want your platform to be as solid even if the code leaks. Therefore, I would highly suggest that you partner up with some pentesters/code reviewers, or at least some developers that are very security-aware.

  • You mention wanting to move to private versioning servers.

Just do this right away and be done with this. At the risk of sounding blunt, I would question your technical skills if this seems to be a complicated or expensive step considering that you are starting off. Gitlab even offers a self-hosted solution; just make sure to review the platform and to block any communications with their servers if that part worries you.

Best of luck.


@Simon has already provided a fantastic answer, but I'd like to add in response to this point:

there is no possible real warranty that staff from Gitlab cannot investigate the source and find security holes or some sensitive configuration

Configuration does not belong in the repository. Configuration should be combined with code at deployment, not before, as per the third factor of twelve.

To do so, have your application read configuration values from the environment at runtime. In the case of, for instance, Django, this would involve you defining your secret key as such:

import os


SECRET_KEY = os.environ['DJANGO_SECRET_KEY']

And having systemd (or whatever runs your project) set that environment variable.

As @Ave notes in the comments below, you would only store your production secrets on your production's build step and servers. You would set spurious or random secrets for your CI servers, staging servers, and whatever else. If the issue is trust with your repository host with regard to secrets, then you can opt to use Chef, Spinnaker, Puppet, or whatever else you may choose, rather than your repository host's CD.


There are multiple options except for Gitlab (including pure Git). Gitlab is an open-source/open code project so that you can install it on your private server, so nobody except your team have access.

Which, raises, I believe, more prominent issue - your staff know security holes or some sensitive configuration and could sell the source code to some third party or the government. Even more, your staff has access to the data, which is much more critical and sensitive than source code. How do you plan to address this?