data provenance, on-chain sourcing, privacy policy.
local scanning
the scanner runs entirely on your machine. during a local scan, no data is transmitted to any server. your source code, environment variables, and file contents stay on your machine at all times.
attestation requests
when you request a witnessed attestation, the scanner sends a report envelope. this envelope contains:
never sentsource code, file contents, environment variables, secrets
data retention
attestation envelopes are stored for verification. the server does not log request bodies on scan endpoints. error handlers exclude submitted content from logs.
metadata awareness
file paths in findings may reveal project structure. consider this when sharing attestations publicly.