Security

Define rules that require human sign-off before findings are acted on. Nothing proceeds without explicit approval.

Findings that match your policy rules enter a review queue. You approve or reject before anything proceeds.

Every event is recorded in an append-only ledger with timestamps and SHA-256 checksums. Verify integrity, export, and audit the full history.

Scans run on your device. Only finding metadata is uploaded: rule IDs, severity, file paths, and line numbers. Source code never leaves your machine.

Repository tokens are encrypted server-side with Fernet (AES-128-CBC + HMAC-SHA256). Tokens are decrypted only during scan config fetch and never returned in API responses.

All payment processing is handled by Stripe. We never see, store, or process credit card numbers. Stripe is PCI DSS Level 1 certified.

All auth and scan endpoints are rate-limited per client IP. Brute-force login attempts are blocked after 5 tries per minute.

Enterprise SSO via SAML/OIDC for centralized identity management.