CodeDigTrust center
Built for sensitive repositories and practical security reviews
CodeDig analyzes pull requests where engineering decisions happen. This page describes the current security posture plainly, including what is implemented now and what is still on the roadmap.
Ephemeral analysis environments
Repositories are cloned into isolated analysis jobs. Raw source code is not retained after the analysis window completes.
Metadata retention only
CodeDig persists analysis results such as risk scores, dependency metadata, findings, and audit events—not full repository contents.
Encrypted in transit and at rest
Traffic uses TLS, and retained analysis metadata is encrypted at rest. Tokens and credentials are stored using hardened secret-handling paths.
Scoped integration access
GitHub access is scoped to the repositories and permissions needed to analyze pull requests, create checks, and post review comments.
Current security posture
These are current-position statements, not future compliance promises. Enterprise security reviews can request more detail through the security contact.
No raw source-code retention after the analysis window.
Webhook signature verification for GitHub events.
Role-based access controls and scoped API keys for product access.
Third-party AI providers are not permitted to use submitted code for model training under our configured usage terms.
SOC 2 readiness work is in progress; CodeDig is not claiming completed SOC 2 certification today.
Governance and audit support
CodeDig can help teams retain PR-level risk signals, findings, thresholds, and reviewer decisions. That evidence can support internal engineering governance and security reviews, but it should not be read as a completed compliance certification.
Compliance roadmap
SOC 2 readiness work is planned/in progress. We will update public claims when an audit is complete. Until then, CodeDig uses conservative language around controls and security posture.