Privacy-First Architecture
Vibgrate is built with privacy-first principles. Here's what it never does:
| Category | Hard Guarantee |
|---|---|
| Source code | Never read beyond config/manifest files |
| Secrets | Never scanned for, never extracted |
| Environment values | Never read — only file existence flagged |
| Git identity | Never accessed — git log never invoked |
| File contents | Only structured config fields extracted |
| Network endpoints | Never parsed from config files |
What It Does Collect
- Package names and versions — from
package.json,.csproj, lockfiles - Config structure flags — e.g.
strict: truefrom tsconfig - File names and sizes — paths and metadata, never contents
- Public registry metadata — latest versions, deprecation flags
- CI/Docker/IaC presence — structural counts only
Max Privacy Mode
For sensitive environments:
vg scan --max-privacy
This:
- Runs minimal scanners
- Writes no local artifacts
- Disables high-context scanners
Offline Mode
For air-gapped environments:
vg scan --offline --package-manifest ./latest-packages.zip
No network calls are made.
No Local Artifacts
vg scan --no-local-artifacts
Suppresses .vibgrate/*.json output files.