DeepScan Security

We understand your code is extremely important to you and your business. We are trying to be very protective of it and this page describes how we ensure your code is safe. If you have any questions, please contact us.

Last revised on March 31, 2023

Physical Security

Our systems are hosted in data centers managed by Amazon Web Services.

For more information see

System and Operational Security

  • Systems access logged and tracked for auditing purposes
  • Firewall to help block unauthorized system access


Connection with the DeepScan website is encrypted over HTTPS and all data is always transmitted over SSL. Source code is transmitted over HTTPS and DeepScan (as a static analysis tool) never executes the source code of users.

DeepScan never stores passwords for external applications like GitHub. Integration with external apps is done via OAuth.

File System

After an analysis, we immediately and completely delete user code from our file system.

As of database, we store only a gathered metrics from the code:

  • Grade, current merged issues for the project, detected issues for each analysis, and issue statuses
  • An issue mainly includes impact, message, location, and code fragment

Repository cloning

Your repositories are cloned into our file system with an HTTPS connection.

Once the analysis is finished, the code is directly deleted from our file system.


We do not encrypt repositories on disk because it would not increase security. The website would need to decrypt the repositories, slowing down operations and response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.


Gathered metrics in database are stored on the server until deleted by the user. You can delete your data at anytime by deleting the repository or by deleting the account itself.

When you delete your project or account, we immediately delete data from our database. Also, we delete webhooks we added to your GitHub repository.

Demo and editor plugins

Demo and public VS Code extension work with our server.

We store the source content transmitted to the server as a temporary file, and the file is completely deleted right after the inspection. Unlike a normal analysis, we never save a derivative result to the database.

We also provide standalone editor plugins and CLI in DeepScan Enteprise, which require no code transmission.

Contact Us

Have a question or concern about DeepScan security? Please contact us.