Privacy & Security: What Vibgrate Does and Does Not Collect

Privacy-First Architecture

Vibgrate is built with a privacy-first design. The CLI scans your repository locally and never transmits source code, secrets, or PII.

What Vibgrate Never Does

What Vibgrate Does Collect

• Package names and version numbers (from package.json, .csproj, lockfiles)
• Config structure flags (e.g. strict: true from tsconfig.json)
• File names and sizes (paths and metadata, never contents)
• Public npm/NuGet registry metadata (latest versions, deprecation flags)
• CI/Docker/IaC file presence and structural counts

Privacy Modes

Standard Mode

Collects all metadata listed above. Local artifacts are written to .vibgrate/.

vibgrate scan .

No Local Artifacts

Skips writing .vibgrate/*.json files to disk:

vibgrate scan . --no-local-artifacts

Max Privacy Mode

Hardened privacy mode with minimal scanners and no local artifacts:

vibgrate scan . --max-privacy

Offline Mode

Disables all network calls. No registry lookups, no upload/push:

vibgrate scan . --offline --package-manifest ./latest-packages.zip

Dashboard Uploads

Dashboard upload is always optional. When you do push results:

• Only the scan artifact (dependency metadata, scores, findings) is transmitted
• Data is encrypted in transit (HTTPS)
• Data residency is configurable (US or EU)
• No source code, secrets, or file contents are ever included

Air-Gapped Environments

For fully disconnected environments:

1. Download the latest package manifest from https://github.com/vibgrate/manifests/latest-packages.zip
2. Transfer it to your air-gapped network
3. Run:

vibgrate scan . --offline --package-manifest ./latest-packages.zip

This gives you full drift scoring without any network connectivity.