Skip to main content
Reference

Privacy & Security

Understand exactly what Vibgrate reads, collects, and never accesses.

Privacy-First Architecture

Vibgrate is built with privacy-first principles. Here's what it never does:

CategoryHard Guarantee
Source codeNever read beyond config/manifest files
SecretsNever scanned for, never extracted
Environment valuesNever read — only file existence flagged
Git identityNever accessed — git log never invoked
File contentsOnly structured config fields extracted
Network endpointsNever parsed from config files

What It Does Collect

  • Package names and versions — from package.json, .csproj, lockfiles
  • Config structure flags — e.g. strict: true from tsconfig
  • File names and sizes — paths and metadata, never contents
  • Public registry metadata — latest versions, deprecation flags
  • CI/Docker/IaC presence — structural counts only

Max Privacy Mode

For sensitive environments:

vg scan --max-privacy

This:

  • Runs minimal scanners
  • Writes no local artifacts
  • Disables high-context scanners

Offline Mode

For air-gapped environments:

vg scan --offline --package-manifest ./latest-packages.zip

No network calls are made.

No Local Artifacts

vg scan --no-local-artifacts

Suppresses .vibgrate/*.json output files.

Related Documentation