Appendix C · Security
How we handle your code
Last updated 2026-07-07
An audit tool asks for a lot of trust. Here is exactly what happens to your code when CodeTruss scans it, and the boundaries we hold ourselves to.
Read-only, never executed, always deleted
Each scan downloads your repository as a GitHub tarball — a plain archive of files. No git clone, so no repo hooks can ever run. The archive is extracted into a temporary workspace with hard caps (30,000 files, 400 MB uncompressed, 25 MB per file), analyzed statically — your code is never executed or imported — and the workspace is deleted when the scan finishes, on success and on failure alike. What persists is metadata: paths, sizes, languages, findings, scores. Never your source.
Least-privilege GitHub access
The CodeTruss GitHub App requests only what the product needs: repository contents (read/write — snapshots in, fix-PR branches out), pull requests (read/write), issues (read/write, for roadmaps and milestones), and metadata (read). Operations run on installation tokens that expire after about an hour. Uninstall the app and all access ends immediately. CodeTruss never pushes to your default branch — every change arrives as a pull request you review.
Tenant isolation and encryption
Every piece of tenant data is scoped to your organization, and every API path re-checks that scope with role-based access control — cross-tenant references simply 404. Bring-your-own AI provider keys are encrypted at rest with AES-256-GCM and are write-only through the API (we show you the last four characters, nothing more). Passwords are bcrypt-hashed; all traffic is TLS; Stripe webhooks are signature-verified.
What leaves our systems
Three things, all documented in the privacy policy: architecture facts to your AI provider for report generation (never raw source), the contents of affected files when — and only when — you approve a fix PR (max 4 files, bring your own keys on Pro+ to keep it in your account), and direct dependency names + versions to OSV.dev for the vulnerability check.
Defensive by design
Analyzers and AI prompts are scoped to defensive code health: exposed secrets are reported by location and type — never their value — and the system does not generate exploit code or offensive tooling.
Who processes your data (subprocessors)
We keep the list of third parties short and name every one: Supabase (our Postgres database), Vercel (hosting), Stripe (billing — no card data ever touches our servers), Resend (transactional email), GitHub (repository access via our App), and OSV.dev (which receives only dependency names and versions for the vulnerability check). Your chosen AI provider — Anthropic, OpenAI, or Google — is used only when you enable AI features, and on Pro+ plans you can point it at your own account with your own keys.
Data retention
The repository snapshot is the sensitive part, and it does not linger: each scan deletes its workspace the moment the scan finishes — on success and on failure alike. What we keep afterward is metadata — paths, sizes, languages, findings, scores, and reports — and we keep it until you delete it. Nothing is retained “just in case.”
Deleting your data
Deleting a repository from the dashboard removes its metadata, findings, scans, and reports right away. To delete an entire account or organization, email sales@codetruss.com from your account address and we will remove your data from production within 30 days. Full details are in the privacy policy.
Reporting a vulnerability
Found a security problem in CodeTruss? Email sales@codetruss.com with details and we will respond quickly — we are a small team and reports go straight to the people who can fix them. Please give us a reasonable window to patch before public disclosure.