Last updated: March 2026

Security & Privacy Policy

How we handle your code

VibeScan processes your code in ephemeral containers that are destroyed immediately after each scan. Your source code is never written to a database, never logged, and never persisted to disk beyond the scan duration. There is no mechanism to retrieve submitted code after a scan completes.

What we store

  • Finding metadata — severity, category, scanner, title, relative file path, line numbers, remediation hint, and a fingerprint hash for deduplication.
  • Evidence excerpts — maximum 2,000 characters of surrounding code context per finding, with all secrets replaced with [REDACTED].
  • Scan summary — risk score (0–100), finding counts by severity, languages detected, scan duration.
  • Usage counters — scans used this billing cycle, rate limit state.
  • Account data — email, name, OAuth provider ID, hashed session tokens, encrypted integration tokens.

What we never do

  • We never sell your data or share it with third parties.
  • We never use your code to train AI models. We don't run any LLM.
  • We never store raw secrets found during scanning. Evidence is always redacted.
  • We never log request bodies containing your code.
  • We never retain your code after a scan completes.
  • We never store GitHub tokens in plaintext. Installation tokens are encrypted at rest with AES-256-GCM.

Scanner licensing

  • Gitleaks — MIT license (v8.18.4)
  • Betterleaks — MIT license (v1.1.1)
  • Opengrep — LGPL 2.1 license (v1.16.5)
  • OSV.dev — Apache 2.0 (data API)

VibeScan does not use TruffleHog (AGPL) or Semgrep registry rules (proprietary SaaS restriction).

Authentication

API access requires a key starting with vsk_. Keys are SHA-256 hashed before storage — we never store or have access to your plaintext key after creation. Human users authenticate via OAuth (GitHub/Google) with HttpOnly session cookies. No JWT in URLs. No localStorage tokens.

Infrastructure

VibeScan runs on AWS (ECS Fargate, Aurora PostgreSQL, ElastiCache Redis, S3, SQS). All data encrypted in transit (TLS 1.3) and at rest (AES-256 via AWS KMS). WAF protects against common web attacks. All infrastructure is defined as code (CDK).

Tenant isolation

Every database query includes a tenant_id filter. There is no mechanism — by design — for one tenant's data to be accessed by another. API keys, scans, findings, and integrations are all tenant-scoped.

Data retention

Scan findings: 90 days (Free), 1 year (Pro/Pro+), 2 years (Max). Uploaded artifacts expire within 1 hour. You can request deletion at any time: support@localhost.

Responsible disclosure

Found a security issue in VibeScan itself? Email security@localhost. We aim to respond within 48 hours.