Zero permanent storage. Per-org encryption. Sandboxed scanners. Every security guarantee backed by architecture, not policy.
Security isn't a feature we added — it's how the platform works. Every design decision prioritizes data isolation and minimal access.
Source code is cloned, scanned, and deleted. Never stored permanently. Maximum 2-hour lifetime, enforced by scheduled cleanup.
Each org gets its own encryption key. Credentials are isolated — one org's breach can't compromise another.
SAST tools run in Docker with no network, read-only filesystem, and strict resource limits.
We use read-only VCS tokens. No writes to your repo except remediation PRs you explicitly approve.
When you connect a repository, we create an encrypted LUKS volume with an ephemeral key, then shallow clone (depth=1) into it. Even an operator with root access sees only ciphertext. After scanning, the volume is destroyed and the key is zeroed from memory. A scheduled cleanup job guarantees removal within 2 hours.
Full transparency into what we hold, what's currently checked out, and instant deletion when you disconnect. Every data operation is logged immutably.
Disconnecting a repo removes all findings, scans, facts, and evidence packs instantly. Nothing is retained after you disconnect.
Every deletion event is logged immutably with record counts — how many findings, facts, and evidence packs were removed. Auditors can verify complete data removal.
View active checkouts in your dashboard, see encryption status for each, and watch the auto-delete countdown. You always know exactly what we hold.
Every organization gets its own encryption key, wrapped by a master key. Compromise of one org's data cannot expose another's credentials.
All communication encrypted in transit via TLS. Internal services use private networking — not exposed to the public internet.
External SAST tools execute inside isolated Docker containers with strict security constraints. Only SARIF output leaves the container.
--network none--read-only--cap-drop ALL--no-new-privileges/workspace:ro--tmpfs /tmpWhen AI agents generate code fixes, they run inside a hardened Docker container with complete network isolation. GitHub tokens and API keys are handled exclusively on the host — the container never sees them.
--network none--cap-drop ALL--read-only--no-new-privilegesNetwork proxyBinary allowlistSubcommand denyShell operator rejectBranch validationMulti-stage buildNon-root user256 PID limitEvery database table is scoped by orgId. All queries filter by the authenticated user's organization. No cross-org access is possible through the API. Each scan uses a unique temp directory.
Every significant action logged immutably with timestamps, actor identity, and org scoping. Includes SHA-256 hashes for tamper detection. Events cannot be modified or deleted.
Production database requires explicit authorization. Tokens encrypted at rest (AES-256-GCM) — no plaintext admin view. Per-org isolation means one org's key can never decrypt another's credentials.
Found a vulnerability? Report it to [email protected]. We acknowledge receipt within 48 hours and work with you on resolution.
We're happy to walk through our architecture with your security team.