Built for Trust
VettCode is privacy-first by design. Your source code never leaves your machine. Reports are cryptographically signed and independently verifiable.
Privacy Architecture
When you run the VettCode scanner locally, here's exactly what stays on your machine and what gets transmitted.
Source code
Never read or uploaded — stays on your machine
File paths & names
Shown in terminal output only — never included in scan JSON
Secrets & credentials
Never captured, hashed, or transmitted
Terminal output
Ephemeral — displayed locally for your review, never uploaded
Scan hash + nonce
Sent to VettCode API for co-signing (no code or metrics)
Scan JSON
Hashes and aggregate metrics only — uploaded when you choose to generate a report
Ed25519 Digital Signatures
Every VettCode report is cryptographically signed using Ed25519 — the same algorithm used by SSH keys and blockchain systems. This guarantees reports are tamper-evident and authentic.
Scanner Signature
The scanner signs the scan JSON with its embedded Ed25519 key. This proves the scan was produced by an official VettCode scanner.
Platform Co-Sign
During scanning, a hash and nonce are sent to VettCode's API. The platform co-signs, adding a second layer of verification.
Report Signature
The final report is signed with VettCode's platform key (stored in GCP Secret Manager). Keys are rotated annually.
Canonicalization
All signed payloads use RFC 8785 (JSON Canonicalization Scheme) — lexicographic key ordering, no whitespace, explicit nulls. This ensures byte-identical representations across platforms for consistent signature verification.
Three Verification Levels
Every report carries a verification level so buyers know exactly how the scan was performed and what level of trust it carries.
Self-Reported
Trust level: Basic
CLI scan run with the --offline flag. No co-signing. Seller provides company name at upload.
Buyer sees:
“Self-Reported — Not Co-Signed by VettCode. This scan was run offline and has not been independently verified.”
Vettcode Cosigned
Trust level: Standard
Default CLI scan. During scanning, a hash and nonce are sent to VettCode's API for co-signing. Forging a scan requires compromising both the scanner key and platform infrastructure.
Buyer sees:
“This scan was run by the seller and co-signed by VettCode's platform.”
Vettcode Verified
Trust level: Highest
Scan initiated via connected GitHub or GitLab account. VettCode verifies the seller has admin/maintain access to the repositories via the provider's API.
Buyer sees:
“This scan was performed by VettCode's cloud infrastructure using the seller's connected account. VettCode verified admin/maintain access to these repositories.”
Public Verification
Every signed report includes a public verification link. Anyone — buyers, investors, board members — can independently confirm a report is genuine and unmodified. No VettCode account required.
For Sellers
Share your verification link with buyers alongside the report. It proves you haven't modified the results and builds trust in the deal process.
For Buyers
Click the verification link to independently confirm the report is authentic. See the report ID, date, scanner version, and signature status — no sign-up needed.
Git Provider & Deep Scan Privacy
GitHub & GitLab Connected Scans
When you connect a Git provider, VettCode clones your code to an ephemeral container within our GCP infrastructure. The scan runs, results are generated, and the code is deleted immediately. Your source code never reaches any third party.
Deep Scan Transparency
Deep scans use Anthropic's Claude API for AI-powered analysis. This means your source code is sent to Anthropic for processing. Anthropic does not use your code for training, and it is not stored after processing. Deep scans require explicit seller approval before any code is shared.
Data Flow Summary
Local CLI scan: Only scan hash + nonce sent for co-signing. No code, no metrics, no file names.
Git provider scan: Code cloned to ephemeral container within VettCode's infrastructure. Deleted after scan. No third parties.
Deep scan: Code sent to Anthropic Claude API. Not stored or used for training. Requires seller consent.
Questions about our security practices?
Read the full guide for detailed documentation, or download the scanner and see for yourself.