Security

• Findings are stored as fingerprints, file path, line, and a snippet — never the full source.
• Repository archives are downloaded into memory, scanned, and discarded inside the same request lifecycle.
• The LLM-review and enrichment paths run snippets through a privacy redactor that strips Stripe / AWS / GitHub / Anthropic keys, PEM blocks, JWTs and email addresses before any text leaves the worker.
• Audit log entries record every privileged action with the actor, target and timestamp; viewable in Settings → Audit log.

• Passwords hashed with bcrypt (cost factor 12). Minimum 12 characters with ≥2 character classes; dictionary stems rejected.
• Auth.js (v5) backs sign-in. JWT sessions over HttpOnly + Secure + SameSite cookies.
• API tokens are SHA-256-hashed at rest. Only the prefix is shown after creation.
• GitHub OAuth uses the minimum scopes sufficient to list repos and download archives. Disconnectable from Settings.
• Password resets invalidate all DB-backed sessions and outstanding reset tokens in the same transaction.

• TLS 1.2+ everywhere. HSTS sent with max-age=63072000; includeSubDomains; preload.
• Nonce-based Content-Security-Policy (no inline scripts) with upgrade-insecure-requests, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy denying camera, microphone, geolocation and FLoC.
• All mutating routes verify the Origin header — CSRF is blocked even when cookies leak.
• Outbound webhooks (notifications, runtime URL scan) refuse private IP ranges and cloud metadata addresses.
• Stripe webhook + GitHub webhook signatures verified with constant-time comparison.

• Postgres in Supabase (or your choice) with row-level workspace isolation enforced server-side via organizationId scoping on every query.
• Connection strings, OAuth secrets, Stripe keys and email API keys live in the platform secret manager. They are never committed.
• One environment per deployment; staging and production credentials are distinct.
• Database backups and restore windows depend on the configured Postgres provider and deployment plan.

• The CLI offline scanner runs against the app in CI, alongside unit tests, typecheck, lint and production build.
• 200+ unit tests, full typecheck and lint are required before deploy.
• Dependency advisories are checked with npm audit --omit=dev in CI.
• SSRF, XSS, CSRF, IDOR, weak-crypto and stack-disclosure checks live in lib/scanner/engine.ts — what we ship to customers is what we use on ourselves.

Suspected security issues land at [email protected] (PGP key on request). We triage within one business day, acknowledge inside 48 hours, and ship a fix or mitigation as soon as practical. Material customer-affecting incidents are disclosed to affected workspaces inside 72 hours.

We support security researchers under a good-faith policy: please give us a reasonable disclosure window (typically 30 days), do not exfiltrate beyond what proves the bug, and avoid touching customer data you don't own. We will not pursue legal action against researchers acting in good faith and will credit you publicly with consent.