GuidesBeginner4 min read

Privacy & Security: What Vibgrate Does and Does Not Collect

A transparent guide to Vibgrate's privacy-first architecture — what data is collected, what is never collected, and how to use privacy modes.

Vibgrate Docs

Vibgrate Help

Privacy-First Architecture

Vibgrate is built with a privacy-first design. The CLI scans your repository locally and never transmits source code, secrets, or PII.

What Vibgrate Never Does

CategoryHard Guarantee
Source codeNever read beyond config/manifest files
SecretsNever scanned for, never extracted
Environment valuesNever read — only .env file existence is flagged
Git identity dataNever accessed — git log is never invoked
File contentsOnly structured config fields are extracted
Network endpointsNever parsed from config files

What Vibgrate Does Collect

  • Package names and version numbers (from package.json, .csproj, lockfiles)
  • Config structure flags (e.g. strict: true from tsconfig.json)
  • File names and sizes (paths and metadata, never contents)
  • Public npm/NuGet registry metadata (latest versions, deprecation flags)
  • CI/Docker/IaC file presence and structural counts

Privacy Modes

Standard Mode

Collects all metadata listed above. Local artifacts are written to .vibgrate/.

vibgrate scan .

No Local Artifacts

Skips writing .vibgrate/*.json files to disk:

vibgrate scan . --no-local-artifacts

Max Privacy Mode

Hardened privacy mode with minimal scanners and no local artifacts:

vibgrate scan . --max-privacy

Offline Mode

Disables all network calls. No registry lookups, no upload/push:

vibgrate scan . --offline --package-manifest ./latest-packages.zip

Dashboard Uploads

Dashboard upload is always optional. When you do push results:

  • Only the scan artifact (dependency metadata, scores, findings) is transmitted
  • Data is encrypted in transit (HTTPS)
  • Data residency is configurable (US or EU)
  • No source code, secrets, or file contents are ever included

Air-Gapped Environments

For fully disconnected environments:

  1. Download the latest package manifest from https://github.com/vibgrate/manifests/latest-packages.zip
  2. Transfer it to your air-gapped network
  3. Run:
vibgrate scan . --offline --package-manifest ./latest-packages.zip

This gives you full drift scoring without any network connectivity.

Related Commands