TeamCity Security Features

Implement multiple layers of protection against cyber attacks in line with your organizational needs.

Your CI/CD server’s security is our top priority

Protecting your CI server requires a multi-faceted approach, with defenses in place at every layer of the stack. That’s why we’ve placed security at the heart of TeamCity. With a range of features designed to enhance the security of your continuous integration and deployment process, TeamCity helps you defend the integrity of your source code and systems.

SOC 2 Type II compliant

Awarded to organizations that have proven their ability to implement and maintain effective security controls over a specific period of time, SOC 2 Type II certification highlights TeamCity’s commitment to security.

GDPR compliant

As part of the JetBrains family of products, we process customers’ personal data in a manner compliant with the General Data Protection Regulation (GDPR).

Regular security audits

TeamCity takes security seriously by conducting regular audits – including thorough penetration testing – to fortify its infrastructure and ensure robust protection for users. The audits are conducted by Cure53, a well-known cybersecurity company.

Contact us if you would like to receive the results of the most recent audit.

Request audit results

TeamCity security features for every stage of your CI/CD process

Identity, authentication, and authorization

Authentication methods

TeamCity offers a choice of authentication modules combined with fine-grained permissions to configure access on a per-project basis.

Advanced integrations

Integrate TeamCity with your VCS hosting service, LDAP server, or NTLM setup to manage user accounts automatically and implement two-factor authentication (2FA) or email verification for enhanced security.

The principle of least privilege

TeamCity provides pre-configured roles that are available right after installation. You can also use custom-configured, role-based access control to mirror your organizational hierarchy and implement the principle of least privilege. Only provide users with the access rights that they need.

REST API

For requests to TeamCity’s REST API, short-lived access tokens enable the required level of access while minimizing the potential attack surface.

Secret management

TeamCity supports the use of tokens and secrets for secure storage of sensitive information, such as API keys and credentials.

Secret management vaults

Manage the secrets and credentials required to provision environments or access third-party systems in your own HashiCorp Vault or Azure Key Vault. Regardless of the source, all secrets are automatically masked in build logs to prevent them falling into the wrong hands.

Disposable build environments

With their access to source code repos and the ability to execute commands on your infrastructure, build agents are a high-value target for cyber attackers. That’s why TeamCity provides all the functionality you need to mitigate these risks.

Disposable build agents

The shorter the lifespan of a build agent, the smaller the risk of compromise. With TeamCity, you can use disposable build agents to refresh your build environments automatically at the start of each pipeline run.

Agent pools

Use TeamCity’s agent pools to control which jobs can run on each agent and keep high-risk pipelines separate from other workflows.

Clean checkout

Ensure secure access to your version control systems with SSH keys, and use TeamCity’s clean checkout feature to fetch a new copy of the source code for each pipeline run.

Secure your CI/CD pipeline with TeamCity

TeamCity Cloud

A secure CI/CD solution fully managed by JetBrains for teams that prefer using cloud services.

TeamCity On-Premises

A self-hosted CI/CD solution for companies that need more control over their continuous integration and deployment process.

Protecting the process

Your CI/CD pipeline should give you complete confidence in your latest code changes before you deploy them. Using an automated process ensures that checks are applied consistently every time.

It’s therefore essential that any changes to the pipeline are reviewed before they are applied. TeamCity’s pipeline permissions, audit logs, and configuration as code are all designed to give you full control and visibility of your continuous integration and deployment process.

Granular permissions

With TeamCity’s granular permissions model, you can restrict edit access to pipeline settings and prevent critical steps from being bypassed or modified. Use enforced settings to ensure critical security checks are always applied. Monitor and trace back changes to build or project settings from the audit log.

Configuration as code

Configure your pipeline logic as code with Kotlin DSL or XML. Record your pipeline settings in source control and put all modifications through a code review process to reduce the risk of insecure changes being applied.

Detailed build logs

In the event that security is compromised, TeamCity’s build logs provide a vital audit trail to help you track down the origin of the breach and assess the extent of the damage.

Build approval feature

Implement a manual confirmation step before critical pipeline stages with TeamCity’s build approval feature.

Audit any changes

Keep track of individuals’ actions with TeamCity’s audit feature. Identify the individual responsible for assigning roles, adding users to groups, modifying build configurations, and conducting other activities.

Let’s Encrypt integration

Let’s Encrypt is a non-profit Certificate Authority (CA) that provides TLS certificates trusted by all modern browsers. TeamCity can contact this CA to automatically issue a certificate for both your TeamCity server domain and, if configured, the artifacts isolation domain.

Continuous integration security testing

The earlier you identify and address security vulnerabilities in your source code, the smaller the potential attack surface. With TeamCity, shifting security to the left and adopting a DevSecOps process is simple.

Qodana integration

Leverage TeamCity’s out-of-the-box integration with Qodana to build static analysis into your pipeline.

Security tests

Run security tests as part of your automated test suite and get results on the fly, complete with test metadata to help you identify the source of any problems.

Pre-tested commit feature

Reduce the risk of vulnerable code entering your repos by testing your code first with the help of TeamCity’s remote run and pre-tested commit features.

Enhance CI/CD Security with TeamCity Plugins

Add extra levels of security to your CI/CD pipeline with these plugins.

Snyk Security

The Snyk plugin adds the ability to test your code dependencies for vulnerabilities against the Snyk database. The build will fail if the security scan detects that the code is vulnerable beyond what the policy allows.

Appdome Build-2Secure

With Appdome Build-2Secure plugin, you can easily secure and customize your mobile apps on JetBrains TeamCity as part of your build and deploy process.

Checkmarx

Installed in the TeamCity environment, the Checkmarx TeamCity Plugin provides automatic code scanning upon triggered builds, seamlessly uploading project code to CxSAST.

Explore TeamCity plugins

TeamCity Cloud: A proud AWS partner

TeamCity Cloud is a recognized AWS partner with proven DevOps Software Competency status, compliant with the highest standards of security.

Start a free trial

TeamCity security FAQ

We work with third parties and use security scanners and penetration tests to assess the security of TeamCity. Any critical security issues we discover are addressed promptly in the next bug-fix release. We recommend updating to the latest version as soon as it becomes available. With TeamCity Cloud, your build server is kept up to date automatically. Click here to learn more about TeamCity’s release cycle. We also recommend subscribing to our Security Notification Service to obtain the latest information about security issues that may affect TeamCity or other JetBrains products.

Your build agents communicate with the TeamCity server via a unidirectional polling protocol secured over HTTPS. You can also configure build agents behind a proxy if required. Access to the TeamCity web interface can be secured via HTTPS or hosted behind a reverse proxy. Learn more about security best practices for TeamCity.

Yes, when you configure pull requests as a build trigger, you can restrict this to pull requests opened by members of your GitHub organization or members and external collaborators. This prevents unknown third parties from running unknown code on your build agents without it being reviewed first.