# Security ### (O) Open source by design The entire [cloud-concierge](https://github.com/dragondrop-cloud/cloud-concierge) container code is open sourced under an Apache 2.0 license, and is viewable/auditable at any time. ### (1) No sensitive data on your cloud posture ever leaves your existing tool set. * The cloud-concierge container is self-hosted for all executions * After container execution, cloud posture and codification results are exposed through a pull request within your existing VCS ### (2) cloud-concierge only requires read-only permissions for your cloud environment. When generating roles for cloud-concierge to be able to complete the requisite cloud scanning, only read-only permissions should be granted. If accessing state files from a storage bucket, then the credentials should have read access to only that storage bucket. ### (3) Changes are recommended via Pull Request, never made directly. The cloud-concierge container will never directly make changes to your Terraform code base. It will (via a [GitHub App](https://github.com/apps/cloud-concierge)) only open a Pull Request in your VCS containing recommended changes and import blocks/import statements. * Like all other code, your developers have final sign-off and approval on whether to merge the suggestions. * Comments, discussions and changes to the original cloud-concierge suggestions are all recorded within your VCS. * All Terraform workflows are run by your existing set up, be it open-source or built off a managed offering like Terraform Cloud. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudconcierge.io/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.