We ingest other people's code. We treat all of it as hostile.

Static analysis only

We read your files; we never install or run your code. No npm install, no executing user scripts.

Offline sandbox

Scanners run in an ephemeral container with no outbound network, as a non-root user, on a read-only filesystem, with CPU, memory, time, and file-count limits. One scan can never touch another.

Secrets redacted before storage

We detect secrets, so we must never keep them. We store a masked locator — “AWS key at config.js:12” — never the value.

SSRF-protected URL scans

Private, loopback, and link-local addresses are refused, with DNS-rebinding-safe resolution and strict timeouts.

Short retention

Uploaded code is deleted shortly after the scan. We don't hoard your source.

We pass our own checks

Hullchecks runs its own scanners on its own code in CI and scores an A. We'd be a poor security company if we didn't.