Security & trust

We only read what we need

Depswright works with manifest files and lockfiles. No source code. No environment credentials. No production access.

Security pillars

Minimal permissions

The GitHub App requests read-only access to contents (manifests/lockfiles only). It cannot read source code, write to branches, or access secrets. The token scope is documented in our GitHub App manifest.

No source code, ever

We analyze dependency manifests — package.json, Cargo.toml, go.mod, etc. — not your application code. We don't clone your repo. We don't see your business logic, credentials, or data.

Encrypted in transit and at rest

All communication between your CI/CD pipeline and Depswright servers uses TLS 1.2+. Stored scan data is encrypted at rest using AES-256. Encryption keys are managed per-tenant and rotated regularly.

Token management

API keys are hashed before storage. You can revoke tokens from the dashboard at any time. Tokens are scoped to specific repos and can be given expiry dates. No shared API keys.

Audit logs

Every scan, alert, and policy change is logged with timestamps, user IDs, and IP addresses. Scale plan subscribers can export audit logs for compliance review. Logs are retained for 90 days.

Responsible disclosure

Found a vulnerability in Depswright itself? Email [email protected]. We respond within 48 hours and coordinate disclosure responsibly.

Data handling

What we store and for how long

Data type
What we store
Retention
Manifest files
File contents fetched at scan time
Deleted after scan completes
Scan results
Resolved graph + policy evaluation output
90 days (configurable on Scale)
Audit logs
User actions, scan triggers, API calls
90 days
Source code
Not accessed, not stored
N/A
Secrets / env vars
Not accessed, not stored
N/A

Questions about security?

Contact us directly at [email protected] — or review our Privacy Policy and Terms of Service.

Contact Us Privacy Policy