I tried the GitoQlok extension, but I wanted to know how reliable it is? If here the community can confirm that it is safe and reliable, if it is used by many within Qlik, because when configuring it, in the migration area it has permission to access all the data on my server, users, applications, template, policies server security, and I don't know how secure it is.

Hello Richard3

I provide you with detailed technical information about the operation of the Gitoqlok. You can find out more on https://docs.gitoqlok.com/

How Gitoqlok works under the hood (Qlik Sense integration, Chrome extension, authentication, access method)?

Gitoqlok is running as Chrome extensions so all requests to the Qlik are made using a context of the opened tab with Qlik application. So the additional authentication is not needed to connect to Qlik. We are using the next APIs:

1) JSON Engine QIX API (https://qlik.dev/apis/json-rpc/qix)

2) QRS API for the Qlik Enterprise (https://help.qlik.com/en-US/sense-developer/May2023/APIs/RepositoryServiceAPI/index.html)

3) REST API for the Qlik Enterprise and Qlik Cloud (https://qlik.dev/apis/rest/apps, https://qlik.dev/apis/rest/spaces, https://qlik.dev/apis/rest/items, https://qlik.dev/apis/rest/reload-tasks, https://qlik.dev/apis/rest/data-connections, https://qlik.dev/apis/rest/users, https://qlik.dev/apis/rest/data-connections, https://qlik.dev/apis/rest/themes, https://qlik.dev/apis/rest/data-connections)

- What type of Qlik Sense repository and app data does the software have access to?

Because of using existing Qlik session, Gitoqlok has access to all API endpoints and has the same access rights as an authenticated Qlik user.

- How is the data transfer between Qlik Server, Gitoqlok, and the git repository secured?

Gitoqlok is using internal chrome messaging API to communicate between context script (that is running on the context of opened Qlik tab), opened extensions popup and background service worker - https://developer.chrome.com/docs/extensions/reference/tabs/#method-sendMessage

To pass data to the GIT server, we are using REST api of the given GIT server, using the protocol that user has provided (http or https), with the authorization method that recommended by the GIT provider. User have to set-up authorization to GIT server manually using Personal Access Token or application password

https://docs.github.com/en/rest?apiVersion=2022-11-28

https://docs.gitlab.com/ee/api/rest/

https://developer.atlassian.com/cloud/bitbucket/rest/intro/

https://developer.atlassian.com/server/bitbucket/rest/v811/

https://learn.microsoft.com/en-us/rest/api/azure/devops/git/

https://docs.gitea.com/next/development/api-usage

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/

- Which my private data will be stored by Motio or any third parties involved? Is the data encrypted? Please share your policy on handling such data.

We do not store any user and Qlik data on our servers (instead of License).

We use Google Analytics to collect statistics on the number of clicks on some Gitoqlok buttons, and this can be disabled in the Gitoqlok settings.

- Does the software provide any access control logs?

Gitoqlok collects a history of all REST requests that are made in context of the opened Qlik tab and Gitoqlok popup. History is stored in the browser local storage and is deleted when the tab is closed. So in case of some error user is able to use "Download logs" context menu item, and attach a log-file to the issue ticket to our support team. In that log file, all passwords are masked.