Obsync

Security model

Built to pass your security review.

Obsync is designed for environments where new tools are guilty until proven innocent. Every claim below is verifiable in the open-source code.

01Read-only against SQL Server

Obsync contains no code path that executes DDL or DML against your databases. Every query reads catalog metadata (sys.objects, sys.sql_modules, SMO scripting APIs). There is no deploy engine and no migration runner — restoring an old version means copying a script, never Obsync applying it. This is an architectural property you can verify in the source, not a configuration option.

02Least-privilege access

The scanning account needs exactly three permissions per database: CONNECT, VIEW DEFINITION, and VIEW DATABASE STATE. Obsync generates the precise GRANT script from inside the app so your DBA can review every line before running it. No sysadmin, no db_owner, no write permissions of any kind.

03Secrets never touch disk

SQL passwords, GitHub tokens, SMTP and proxy credentials are stored exclusively in Windows Credential Manager under the operating account, protected by DPAPI. They are never written to the local database, configuration files, logs, run reports, or support bundles.

04Zero telemetry

The application makes outbound connections to exactly two kinds of endpoints: your configured GitHub repository (to push scripts), and — if you leave update checks enabled — the public GitHub releases endpoint, which is notify-only and never auto-installs. Nothing else. No usage analytics, no crash reporting, no phoning home.

05Auditable by construction

Every job change, credential profile change, and run outcome is recorded in an append-only audit log attributed to the Windows identity that performed it, exportable as CSV or JSON. Each run produces a report (HTML/CSV/JSON) with per-object changes and the commit SHA. A versioned security review is committed to each repository, so permission drift appears in git history.

06Supply-chain honest

MIT-licensed and developed in the open. Releases are built only by GitHub Actions from tagged commits after the full test suite passes, published with SHA-256 checksums. The bundled MinGit is fetched at build time from the official git-for-windows release and verified against a pinned SHA-256. Code signing via SignPath Foundation is planned; until then, verify checksums.

Reporting a vulnerability

Please report security issues privately — via GitHub private vulnerability reporting or security@obsync.io. We acknowledge within 72 hours. See the full security policy.