Security at Semaphore UI
Semaphore UI is a self-managed platform that allows DevOps teams to securely automate infrastructure using Ansible, Terraform, and custom scripts.
We understand that security is critical to our users, and this document outlines the principles, practices, and features that help keep your data and systems safe.
🔐 Data Storage and Privacy
- Semaphore UI is fully self-hosted — all your data remains in your environment.
- We do not collect or transmit any of your credentials, secrets, inventories, playbooks, logs, or telemetry.
- You have full control over data storage, access, backup, and retention policies.
🔧 Secure by Design
- Developed in Go, a compiled, memory-safe language.
- Minimal external dependencies.
- Clear separation between web UI, API, and task executors.
- Follows the principle of least privilege for internal operations.
🔍 Code Security Tools
To maintain code quality and prevent security issues, we use the following tools:
- GitHub CodeQL – semantic code analysis that queries code as data to detect vulnerabilities and bugs.
- Codacy – static code analysis for code quality.
- Snyk – automatic scanning for known vulnerabilities in dependencies.
- RenovateBot – automates dependency updates to reduce exposure to outdated or vulnerable packages.
🧑💼 Access Control and Authentication
- Built-in role-based access control (Owner, Manager, Task Runner, Goest).
- Optional Two-Factor Authentication (TOTP).
- Project- and environment-level isolation.
- Support for LDAP and OAuth2 SSO.
🔍 Auditing and Monitoring
- All UI actions are logged with timestamps and user IDs.
- Logs are stored locally and can be exported to external logging or SIEM tools.
- Can be deployed behind a reverse proxy (e.g. NGINX, Traefik) to add IP filtering, rate limits, and advanced auth.
🔄 Updates and Patch Management
- We recommend always using the latest stable release.
- Security patches are released quickly once issues are confirmed and fixed.
📣 Responsible Disclosure
If you discover a security vulnerability, please report it responsibly by emailing [email protected].
We aim to:
- Acknowledge your report within 1 business day.
- Provide a resolution or status update within 7 business days.
🛠️ Secure Deployment Best Practices
To ensure a secure installation:
- Run Semaphore UI on a private network or VPN.
- Terminate HTTPS using a reverse proxy with a valid TLS certificate.
- Restrict external access using firewall rules or IP allowlists.
- Regularly update your Semaphore UI instance and dependencies.
📜 Compliance and Privacy
Semaphore UI is privacy-friendly and helps support your compliance efforts:
- GDPR: All data remains local and under your control.
- CCPA: No tracking, no profiling, no third-party data sharing.
✅ Summary
Semaphore UI is built for security and privacy by design. It gives teams the power of automation without compromising control. With proper installation and configuration, it can meet even strict internal security requirements.
Questions? Contact us at [email protected].