Developer-tools security — token storage + supply-chain + integration scope

Updated May 1, 2026

Devtools have customer credentials + customer source-code in scope. The Vercel Apr 2026 + Lovable Apr 2026 incidents highlight what happens when devtool security fails.

Top security risks

Customer credential storage breach

Devtools store API tokens for downstream services — compromise = mass downstream blast radius.

Supply-chain compromise (your own stack)

Devtools shipping malicious updates affect every customer immediately. Sigstore / SLSA / DSSE attestation chain required.

Integration scope creep

OAuth-app permissions widened over time; customer doesn't notice.

Customer source-code exposure

If your tool reads customer source, encrypting at rest + per-tenant isolation is non-negotiable.

Regulatory context

Securie focuses on the security-engineering surface: token storage hygiene, supply-chain provenance (SLSA + Sigstore), OAuth scope minimization, and per-tenant source isolation verified on every change.

Checklist

Customer tokens encrypted at rest (envelope encryption)
Sigstore / SLSA attestation chain for releases
OAuth scope review quarterly
Per-tenant source-code isolation
Sub-processor list public + actively reviewed
Run Securie on your own product

What your buyers look for

Devtool buyers want supply-chain attestation + per-tenant isolation guarantee + clear data-retention + a signed evidence trail for every fix.