Xcode Cloud security

Xcode Cloud implements multiple layers of security measures throughout its infrastructure and processes. Every build runs in an ephemeral build environment protected by strong and secure isolation boundaries.

Source control management

Source code is not persisted — it is only available in the ephemeral environment. Your credentials, such as Git tokens, are never exposed directly to a build environment.

Xcode Cloud uses secure HTTPS connections to access both public cloud and self-hosted versions of Bitbucket, GitHub, and GitLab. For self-hosted versions, Xcode Cloud accesses your source code management hosts through a limited set of Apple-owned IP address ranges.

Data encryption

Data is encrypted in transit and at rest using industry-standard strong encryption protocols to protect against unauthorized access. This includes the encryption of all output (such as artifacts and logs) from a build, test, or archive.

Auditing

Apple regularly conducts security audits and vulnerability assessments to identify and mitigate potential security risks. This helps ensure that Xcode Cloud remains a secure and reliable platform for all users.

If you believe you’ve discovered a security or privacy vulnerability that affects Xcode Cloud, please let us know. We review all eligible research for Apple Security Bounty rewards.