How we handle your code
79% of security teams say data residency and security requirements are essential when evaluating tools. Here is exactly what Ship Safe does — and does not do — with your source code.
Ephemeral access
We shallow-clone your repo into an isolated sandbox, run the scan, and delete the clone immediately. Code never persists on our infrastructure beyond the scan window.
Encrypted tokens
Your GitHub OAuth token is encrypted at rest with AES-256-GCM. The encryption key is stored separately from the database. Revoking your token in GitHub instantly cuts our access.
No telemetry on your code
We do not log, index, or transmit your source code to our own analytics. Scanner output (findings, line numbers, snippets) is retained for your dashboard; raw code is not.
Read-only by default
Ship Safe never pushes to your repo without an explicit click. Auto-fix PRs are opened on a safeship/fix-* branch and require your review and merge.
Full audit trail
Every action is logged to an append-only audit log: scan created, scan completed, fix triggered, PR opened, report generated. Your SOC 2 evidence pack includes this trail.
Isolated infrastructure
Each scan runs in its own sandboxed container with a 500 MB size cap and 5-minute timeout. Scans cannot access other customers’ data or escape the sandbox.
Minimal permissions
We request only the GitHub scopes needed to clone and (optionally) open PRs. We never request admin, delete, or organization management permissions.
Data residency
Scan infrastructure runs on Railway. Database and object storage are provisioned in the US. If your compliance requires a specific region, contact us to discuss options.
What we explicitly do NOT do
- ×We do not train AI models on your source code or findings.
- ×We do not store your source code after the scan completes.
- ×We do not auto-merge any pull request. You review, you merge.
- ×We do not share your scan results with third parties.
- ×We do not persist customer source code in our own telemetry or logging.
Questions about security?
We are happy to fill out your security questionnaire or discuss our controls in detail.